🚀 cilium/cilium - Release Notes

Summary of Changes
------------------

**Major Changes:**
* Add support for kube-apiserver high availability with kube-proxy replacement where the Cilium agent can fail over to an active kube-apiserver at runtime. (cilium/cilium#37601, @aditighag)
* Promote `CiliumBGPClusterConfig`, `CiliumBGPPeerConfig`, `CiliumBGPAdvertisement`, `CiliumBGPNodeConfig` and `CiliumBGPNodeConfigOverride` CRDs to v2 API version. (cilium/cilium#37765, @rastislavs)

**Minor Changes:**
* Add support for tunnel routing in multi-pool IPAM mode (cilium/cilium#38483, @pippolo84)
* Add support to capture kernel profiles during performance testing (cilium/cilium#38402, @giorio94)
* Added multi-device support to the L2 pod announcement feature (cilium/cilium#38198, @dylandreimerink)
* Adding an option to disable L3/L4 network policy correlation of Hubble flows (cilium/cilium#37986, @mereta)
* agent: Deprecate --enable-custom-calls (cilium/cilium#38480, @brb)
* Bgp control plane:  add route aggregation feature (cilium/cilium#37275, @romanspb80)
* BGPv2: Rename the operator metric `cilium_operator_bgp_control_plane_cluster_config_error_count` to `cilium_operator_bgp_control_plane_reconcile_errors_total` and introduce new operator metric: `cilium_operator_bgp_control_plane_reconcile_run_duration_seconds`. Rename the agent metric `cilium_agent_bgp_control_plane_reconcile_error_count` to `cilium_agent_bgp_control_plane_reconcile_errors_total`. (cilium/cilium#37898, @rastislavs)
* Deprecate `CiliumBGPPeeringPolicy` CRD in favor of `cilium.io/v2` CRDs (`CiliumBGPClusterConfig`, `CiliumBGPPeerConfig`, `CiliumBGPAdvertisement`, `CiliumBGPNodeConfigOverride`) (cilium/cilium#38397, @rastislavs)
* Deprecate `v2alpha1` version of `CiliumBGPClusterConfig`, `CiliumBGPPeerConfig`, `CiliumBGPAdvertisement`, `CiliumBGPNodeConfig` and `CiliumBGPNodeConfigOverride` CRDs in favor of the `v2` version (cilium/cilium#38239, @rastislavs)
* Display IPv4/IPv6 Exclusion CIDRs in cilium status (cilium/cilium#38075, @roman-kiselenko)
* dnsproxy: respond with SERVFAIL for transient failures (cilium/cilium#38002, @antonipp)
* docs: clarify wording of remote-nodes in context of a clustermesh (cilium/cilium#37989, @oblazek)
* exp/lb: Add service.cilium.io/type annotation support (cilium/cilium#38260, @brb)
* Harden against misuse of IPv4 fragments. (cilium/cilium#38202, @gentoo-root)
* Helm: Add the `action` field by default to ServiceMonitor relabelings (cilium/cilium#38052, @logica0419)
* Helm: Adding `conntrack_gc_interval_seconds` metric to monitor conntrack gc intervals (cilium/cilium#38302, @parlakisik)
* Increase granularity of the `api_duration_seconds` metric buckets (cilium/cilium#37365, @jaredledvina)
* loader: attach datapath to IPIP tunnel devices (cilium/cilium#37346, @gyutaeb)
* Make Cilium CLI performance tests not depend on Cilium (cilium/cilium#38245, @giorio94)
* operator: report metrics for internal CiliumNodeSynchronizer queues (cilium/cilium#38286, @antonipp)
* proxy: Bump envoy version to v1.33.0 (cilium/cilium#38340, @sayboras)
* Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (cilium/cilium#37936, @smagnani96)
* Remove deprecated and disabled by default support for running the Cilium KVStore in pod network (cilium/cilium#38040, @giorio94)
* Remove UpdateEC2AdapterLimitViaAPI option and static mapping between instance type and limits in AWS environment. Always fetch the limits via EC2API (cilium/cilium#36922, @liyihuang)
* When creating a new ENI in AWS, trying the best to select a subnet with the same route table as the host's primary ENI to prevent unexpected routing behavior. (cilium/cilium#37229, @liyihuang)

**Bugfixes:**
* Always detach BPF programs from cilium_wg0 when not needed. (cilium/cilium#38179, @smagnani96)
* Avoid installing no-track rules when IP family is disabled (cilium/cilium#38438, @ysksuzuki)
* bpf:nat: Restore ORG NAT entry if it's not found (cilium/cilium#37747, @gyutaeb)
* cilium-cli: Fix logger busy loop (cilium/cilium#38199, @jrajahalme)
* clustermesh: fix mcs-api count of clusters disagreeing with a conflict (the count was previously increased by one) (cilium/cilium#38267, @MrFreezeex)
* Egress route reconciliation (cilium/cilium#37962, @dylandreimerink)
* Ensure that replies to world-to-pod ICMP in AWS ENI are routed via the correct parent interface. (cilium/cilium#38335, @gentoo-root)
* Fix Allocator leaking IDs in CID controller (cilium/cilium#38196, @dlapcevic)
* Fix the ipv6 only cluster doesn't work with multi pool in some k8s distribution(Openshift) (cilium/cilium#38472, @liyihuang)
* Fix: cilium-operator no longer patches services on shutdown (cilium/cilium#37967, @rsafonseca)
* hubble/exporter: Fix logging exporter options as JSON (cilium/cilium#38475, @devodev)
* hubble: fix locking of hubble metrics registry for dynamically configured metrics (cilium/cilium#37923, @marseel)
* ipam/aws: properly paginate Operator `DescribeNetworkInterfaces` AWS API calls in ENI IPAM mode in order to avoid throttling, timeouts and errors from the API (cilium/cilium#37983, @antonipp)
* ipam/multi-pool: Periodically perform pool maintenance (cilium/cilium#37895, @gandro)
* netkit: Fix issue where MAC addresses get changed by systemd in L2 mode causing health checks to fail (cilium/cilium#37812, @jrife)
* policy: Fix Endpoint Selector Policy Deadlock (cilium/cilium#38139, @nathanjsweet)
* policy: Fix rare bug that prevented two endpoints that shared the same identity from being simultaneously updated. (cilium/cilium#37910, @nathanjsweet)
* Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (cilium/cilium#38029, @julianwiedmann)
* Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (cilium/cilium#38143, @youngnick)
* Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message `iptables: Incompatible with this kernel` to `iptables -n -L CHAIN` when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (cilium/cilium#37749, @fgiloux)

**CI Changes:**
* Add parallel streams throughput tests, and enable them in the EGW workflow (cilium/cilium#38027, @giorio94)
* Align main and stable branch workflows for availability of cilium-cli (cilium/cilium#38138, @joestringer)
* bgpv2: Introduce script component tests for BGPv2 (cilium/cilium#38359, @rastislavs)
* bpf/tests: Bump "occasional failures" threshold in NAT port alloc test (cilium/cilium#38456, @gentoo-root)
* build: update golangci-lint to v2.0.0 (cilium/cilium#38473, @mhofstetter)
* Centralize dynamic test ownership configuration (cilium/cilium#38045, @joestringer)
* ci: build CI images within merge group (cilium/cilium#38065, @marseel)
* ci: disable GW API mirroring conformance tests in conformance-profile too (cilium/cilium#38546, @mhofstetter)
* ci: enable SDS in cloud provider tests (cilium/cilium#37987, @marseel)
* ci: improve gateway api version (commit) evaluation (cilium/cilium#38502, @mhofstetter)
* ci: prepare CI Image build for being required (cilium/cilium#38320, @marseel)
* ci: switch to monitor aggregation medium (cilium/cilium#38036, @marseel)
* ci: temporarily disable gateway api mirror feature tests (cilium/cilium#38513, @mhofstetter)
* ci: use custom kubeconfig for cilium-cli cloud provider tests (cilium/cilium#37970, @marseel)
* ci: wait for images before matrix generation for aws/aks/gke/netperf tests (cilium/cilium#38061, @marseel)
* ci: wait for images in clustermesh/eks workflows (cilium/cilium#37968, @marseel)
* cilium-cli: extend no-interrupted-connections to test Egress Gateway (cilium/cilium#38193, @ysksuzuki)
* cilium-cli: Use distroless (cilium/cilium#38189, @michi-covalent)
* Clear traced UDP v4/v6 connections on check-encryption-leak script. (cilium/cilium#38264, @smagnani96)
* cli: Reduce the flood of the terminal with logs on failure during tests (cilium/cilium#38240, @roman-kiselenko)
* cli: reverse finalizers of connectivity test (cilium/cilium#38232, @marseel)
* connectivity tests: keep tcpdump alive by printing to stdout (cilium/cilium#37984, @asauber)
* connectivity: Add test for source egress in Ingress (cilium/cilium#38053, @sayboras)
* Drop WireGuard encryption strict mode Ginkgo test (cilium/cilium#38538, @pippolo84)
* Egress gateway parallel connections testing (cilium/cilium#37981, @giorio94)
* Ensure packet protocol before using L4 ports in the check-encryption-leak script. (cilium/cilium#38290, @smagnani96)
* Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (cilium/cilium#38265, @smagnani96)
* Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (cilium/cilium#38292, @smagnani96)
* Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (cilium/cilium#38291, @smagnani96)
* gh: e2e-upgrade: also test NS & EGW disruptivity during downgrade (cilium/cilium#38511, @julianwiedmann)
* gh: e2e-upgrade: generate config matrix from file (cilium/cilium#38512, @julianwiedmann)
* gh: e2e-upgrade: minor log output improvements (cilium/cilium#38011, @julianwiedmann)
* gh: ipsec: pin bpf-next LVH image to older version (cilium/cilium#38356, @julianwiedmann)
* gha/scale-egw: make masquerade delay thresholds configurable (cilium/cilium#38295, @giorio94)
* gha: always respect the given image tag in the wait-for-images action (cilium/cilium#37901, @giorio94)
* gha: bump timeout of K8s Network E2E tests test (cilium/cilium#38035, @giorio94)
* Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (cilium/cilium#38278, @smagnani96)
* Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (cilium/cilium#38293, @smagnani96)
* node/manager: Fix TestNodeManagerEmitStatus (cilium/cilium#37991, @dylandreimerink)
* pkg: Mark node_linux_test.go as unparallel (cilium/cilium#38172, @jschwinger233)
* Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (cilium/cilium#38266, @smagnani96)
* proxy/proxyports: fix flake and data race in TestPortAllocator (cilium/cilium#38062, @tklauser)
* Refactoring and code comments for the check-encryption-leak script. (cilium/cilium#38263, @smagnani96)
* renovate: Allow cilium-envoy 1.32 for 1.16 (cilium/cilium#38389, @sayboras)
* Report masqueraded flow through proxy in the check-encryption-leak script. (cilium/cilium#38297, @smagnani96)
* Restore node taints when creating EKS cluster in CI to prevent timeout DNS requests with WireGuard. (cilium/cilium#38371, @smagnani96)
* Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (cilium/cilium#38280, @smagnani96)
* Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (cilium/cilium#38289, @smagnani96)
* Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (cilium/cilium#38287, @smagnani96)
* switch default branch to base branch for trusted context in image build/lint workflows (cilium/cilium#37926, @Artyop)
* Test the awsEnablePrefixDelegation in CI for eks (cilium/cilium#38016, @liyihuang)
* test: Add negative test case for TLS SNI + Inception (cilium/cilium#38194, @sayboras)
* test: remove K8sUpdates leftovers (cilium/cilium#37914, @julianwiedmann)
* Update CL2 in EGW scale test to support EKS 1.32 (cilium/cilium#38115, @giorio94)
* workflows/e2e: Cover IPv6-only (cilium/cilium#38235, @pchaigno)

**Misc Changes:**
* .github/renovate: do not update LVH images (cilium/cilium#38261, @aanm)
* .github/renovate: do not update LVH images for conformance-runtime (cilium/cilium#38310, @julianwiedmann)
* .github: Don't mark 'help-wanted' issues as stale (cilium/cilium#38136, @joestringer)
* .github: remove static commit sha for cilium-cli (cilium/cilium#38038, @aanm)
* Add CEL validation requiring empty `selector` for the PodCIDR `advertisementType`  in `BGPAdvertisement` CRD (cilium/cilium#38553, @rastislavs)
* Add CEL validations for `BGPAdvertisement` and `CiliumBGPTimers` in BGP CRDs (cilium/cilium#38478, @rastislavs)
* Add explicit error logging for node information retrieval (cilium/cilium#37453, @thevilledev)
* Add Stream Security to USERS.md (cilium/cilium#38453, @vitali-streamsec)
* add the tests on our cloud providers (without aks) conformance workflows to k8s 1.32 and remove the 1.28 (cilium/cilium#37828, @Artyop)
* agent: Deprecate --enable-session-affinity (cilium/cilium#38447, @brb)
* bgp: Add BGPRouterManager to hive lifecycle to ensure proper cleanup (cilium/cilium#38008, @rastislavs)
* bgp: Add NextHop Self/Unchanged action (cilium/cilium#38393, @YutaroHayakawa)
* bgp: keep bgp table creation public (cilium/cilium#37933, @harsimran-pabla)
* bpf batch improvements (cilium/cilium#38112, @tommyp1ckles)
* bpf/lib/policy: Always define EFFECTIVE_EP_ID (cilium/cilium#37971, @jrajahalme)
* bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (cilium/cilium#38037, @borkmann)
* bpf: clean up compile-test configurations (cilium/cilium#37913, @julianwiedmann)
* bpf: extract helper to set up metadata for local-delivery (cilium/cilium#38392, @julianwiedmann)
* bpf: ipsec: add helper to encode the magic ENCRYPT mark value (cilium/cilium#38431, @julianwiedmann)
* bpf: let MARK_MAGIC_EGW_DONE carry source identity (cilium/cilium#38430, @julianwiedmann)
* bpf: misc proxy delegation follow-ups (cilium/cilium#38190, @borkmann)
* bpf: nodeport: preserve monitor aggregation in egress path (cilium/cilium#38312, @julianwiedmann)
* bpf: overlay: clear skb->cb at start of to-overlay program (cilium/cilium#38001, @julianwiedmann)
* bpf: remove dynamic map names and map macros (cilium/cilium#37469, @ti-mo)
* bpf: srv6: don't include unused fib.h (cilium/cilium#38311, @julianwiedmann)
* bpf: support ipv6 egressgateway policies (cilium/cilium#37713, @rgo3)
* bpf: tolerate dropped ICMPv6 messages with ICMPv6 payload (cilium/cilium#38068, @julianwiedmann)
* bpf:hubble: update trace/drop notify for L2-less packets (cilium/cilium#37097, @smagnani96)
* bugtool: collect more detailed link statistics (cilium/cilium#38391, @julianwiedmann)
* Bump StateDB to version 0.3.7 (cilium/cilium#38151, @joamaki)
* cec: support for explicit control of Cilium Policy enforcement Envoy filter injection (cilium/cilium#37868, @mhofstetter)
* cec: Switch to slog (cilium/cilium#38003, @sayboras)
* chore(deps): update all github action dependencies (main) (cilium/cilium#38271, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#38427, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#38460, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#38213, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#38309, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#38422, @cilium-renovate[bot])
* chore(deps): update all lvh-images main to bpf-next-20250324.013134 (main) (patch) (cilium/cilium#38598, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#38047, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#38147, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#38383, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#38541, @cilium-renovate[bot])
* chore(deps): update cilium/cilium-cli action to v0.18.2 (main) (cilium/cilium#38091, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.1 (main) (cilium/cilium#38046, @cilium-renovate[bot])
* chore(deps): update dependency protocolbuffers/protobuf to v30 (main) (cilium/cilium#38272, @cilium-renovate[bot])
* chore(deps): update dependency protocolbuffers/protobuf to v30.2 (main) (cilium/cilium#38604, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.24.1 docker digest to 52ff1b3 (main) (cilium/cilium#38421, @cilium-renovate[bot])
* chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.20 (main) (cilium/cilium#38424, @cilium-renovate[bot])
* chore(deps): update go to v1.24.1 (main) (cilium/cilium#38092, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.64.6 (main) (cilium/cilium#38093, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.64.8 (main) (cilium/cilium#38270, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v2.0.1 (main) (cilium/cilium#38484, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v2.0.2 (main) (cilium/cilium#38600, @cilium-renovate[bot])
* chore(deps): update module github.com/containerd/containerd to v1.7.27 [security] (main) (cilium/cilium#38246, @cilium-renovate[bot])
* chore(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security] (main) (cilium/cilium#38419, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.1-1742558646-8b0b9457d174fe9cc137e273a547535d79a7bb1f (main) (cilium/cilium#38408, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.33.1-1742784275-e76b29a8d9694b2a6a015b6b9bb82a450bf51451 (main) (cilium/cilium#38440, @cilium-renovate[bot])
* cilium, tests: Revert enable distributedLRU in netkit e2e tests (cilium/cilium#38130, @borkmann)
* cilium-cli: add IPv6 connectivity test for LocalRedirectPolicy (cilium/cilium#37192, @saiaunghlyanhtet)
* cilium-cli: add test owners as part of junit files (cilium/cilium#38269, @aanm)
* cilium-cli: Allow running outside the Cilium tree (cilium/cilium#38133, @joestringer)
* cilium-dbg: Set terminal size in 'cilium-dbg shell' (cilium/cilium#38377, @joamaki)
* cilium: Conditional BPF attachment of IPIP in attachNetworkDevices (cilium/cilium#38191, @borkmann)
* cilium: host proxy delegation infra (cilium/cilium#37973, @borkmann)
* clarify community support in contributing.md``` (cilium/cilium#38067, @xmulligan)
* clean up mapstate generation slightly (cilium/cilium#38103, @squeed)
* cli: Load code owners dynamically via --code-owners (cilium/cilium#38044, @joestringer)
* clustermesh: Implement MergeExternal* for experimental LB (cilium/cilium#38220, @joamaki)
* cnp: correct http header matching field description and docu (cilium/cilium#38357, @mhofstetter)
* CODEOWNERS: polish sig-datapath related entries (cilium/cilium#38250, @julianwiedmann)
* codeowners: update client_egress* cli tests ownership (cilium/cilium#37957, @marseel)
* CODEOWNERS: Update owners for .github (cilium/cilium#38504, @joestringer)
* Consistent clang invocation between Cilium agent and makefiles (cilium/cilium#38586, @gentoo-root)
* container: Clone before sorting in NewImmSet (cilium/cilium#37880, @joamaki)
* contrib: Add wait duration variable (cilium/cilium#38063, @sayboras)
* contrib: Support builder.sh on machines without Go (cilium/cilium#38423, @joestringer)
* daemon: Fix opening of SkipLBMap early in initialization (cilium/cilium#38163, @joamaki)
* daemon: set allocation range log level to debug (cilium/cilium#38177, @acudovs)
* datapath: provide node configuration at runtime (cilium/cilium#38244, @ti-mo)
* deps: Bump cilium/proxy to the latest (cilium/cilium#38256, @sayboras)
* deps: Bump gateway-api version to the latest (cilium/cilium#36926, @sayboras)
* doc(troubleshooting): add -verbose to cilium-health status (cilium/cilium#38169, @alagoutte)
* doc: Add Documentation about install on Broadcom (VMware) ESXi / NSX (cilium/cilium#38167, @alagoutte)
* doc: Envoy daemonset works on OpenShift (cilium/cilium#38236, @fgiloux)
* doc: use rollout restart after configuring identity-relevant labels (cilium/cilium#38041, @wedaly)
* docs: add CoreWeave to USERS.md (cilium/cilium#38088, @dswaffordcw)
* docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (cilium/cilium#38173, @yrsuthari)
* docs: add per-node default pool example (cilium/cilium#38135, @acudovs)
* docs: correct some typos under option package (cilium/cilium#38479, @Kaniikura)
* docs: Correct the envoy circuit-breaking example manifest (cilium/cilium#38158, @raphink)
* docs: Document jitter applied to BGP ConnectRetryTimeSeconds (cilium/cilium#38231, @rastislavs)
* docs: fix broken links (cilium/cilium#37995, @nueavv)
* docs: Fix quotes in CiliumNodeConfig example (cilium/cilium#38534, @samsonkolge)
* docs: Mention how to remove CEW stale resources (cilium/cilium#38241, @brb)
* docs: Update LLVM requirements to 18.1 (cilium/cilium#38294, @gentoo-root)
* Documentation: "cilium config set" restarts by default (cilium/cilium#38114, @joamaki)
* Documentation: Add test scripts sections to Hive and StateDB docs (cilium/cilium#37871, @joamaki)
* Documentation: fix mentions of per-node `cilium-dbg` tool (cilium/cilium#38276, @tklauser)
* endpoint: fix typos in InitWithIngressLabels() (cilium/cilium#37958, @julianwiedmann)
* endpoint: remove Owner interface (cilium/cilium#38535, @mhofstetter)
* envoy: extract envoyL7RulesTranslator  component from xds server (cilium/cilium#37894, @mhofstetter)
* experimental/redirectpolicy: Extend the tests to cover IPv6 (cilium/cilium#38486, @joamaki)
* experimental: Fixes from running full CI (cilium/cilium#38162, @joamaki)
* experimental: Ignore the dummy ingress endpoint (cilium/cilium#38482, @joamaki)
* experimental: Implement support for topology-aware routing (cilium/cilium#38277, @joamaki)
* experimental: Slim down services table format (cilium/cilium#38284, @joamaki)
* Fix a bug that prevented inter-cluster-SNAT reply traffic from being routed via the overlay network. (cilium/cilium#37972, @julianwiedmann)
* Fix cli disconnect error message (cilium/cilium#38545, @samsonkolge)
* Fix log imports from cloudflare (cilium/cilium#38573, @aanm)
* fix SBOM attestation documentation (cilium/cilium#38429, @jaehanbyun)
* fix(deps): update all go dependencies main (main) (cilium/cilium#37943, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#38273, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#38425, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#38601, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#38216, @cilium-renovate[bot])
* fix(deps): update go-openapi packages (main) (cilium/cilium#38253, @cilium-renovate[bot])
* fix(deps): update kubernetes packages to v0.32.3 (main) (cilium/cilium#38254, @cilium-renovate[bot])
* fix(deps): update module github.com/aws/aws-sdk-go-v2/config to v1.29.12 (main) (cilium/cilium#38602, @cilium-renovate[bot])
* fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.210.1 (main) (cilium/cilium#38426, @cilium-renovate[bot])
* fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azcore to v1.17.1 (main) (cilium/cilium#38433, @cilium-renovate[bot])
* fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 to v6.4.0 (main) (cilium/cilium#38605, @cilium-renovate[bot])
* fix(deps): update opentelemetry-go monorepo to v1.35.0 (main) (cilium/cilium#38255, @cilium-renovate[bot])
* fix(Documentation/installationk0s.rst): adjust kuberouter naming in k0s documentation (cilium/cilium#38243, @RiRa12621)
* fqdn/dnsproxy: use `netip.Addr` for `DNSProxy.usedServers` (cilium/cilium#37985, @tklauser)
* fqdn: move defaultdns from pkg/proxy to pkg/fqdn (cilium/cilium#38282, @mhofstetter)
* helm: Add missing secret lookups for  "hubble-relay-client-certs" and "hubble-server-certs" (cilium/cilium#38355, @Javex)
* helm: multi-pool mode requires enable-endpoint-routes (cilium/cilium#38176, @acudovs)
* helm: support hubble-ui service specific labels (cilium/cilium#38325, @joaoubaldo)
* helm: Validating whether one of native routing cidr (ipv4NativeRoutingCIDR or ipv4NativeRoutingCIDR) is defined when routingMode is set to native (cilium/cilium#38372, @parlakisik)
* hubble: fix debug GetFlows log line (cilium/cilium#38084, @alingse)
* hubble: provide exporter builders to the cell (cilium/cilium#37625, @devodev)
* ipam/aws: use defer for ec2 mock api (cilium/cilium#38128, @liyihuang)
* ipcache: reduce labels map memory churn in resolveLabels a bit (cilium/cilium#38494, @tklauser)
* ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (cilium/cilium#38021, @christarazi)
* ipcache: unexport and rename internal methods (cilium/cilium#37917, @tklauser)
* ipsec: remove stale encrypted overlay comments (cilium/cilium#37934, @ldelossa)
* k8s: Add update permission for CGCC CRD (cilium/cilium#38071, @sayboras)
* k8s: move portforward functionality to separate sub-package (cilium/cilium#38060, @tklauser)
* Make ipcache async api cluster id aware (cilium/cilium#38379, @pippolo84)
* make: load docker images sequentially into kind nodes (cilium/cilium#38174, @mhofstetter)
* Modernize Go map and slice operations (cilium/cilium#38126, @tklauser)
* mtu: Catch expected error in endpoint MTU updater (cilium/cilium#36596, @dylandreimerink)
* node/manager: explicitly define daemon statedir in test (cilium/cilium#38252, @mhofstetter)
* pkg/api: migrate to slog (cilium/cilium#37902, @aanm)
* pkg/bgp: migrate to slog (cilium/cilium#37908, @aanm)
* pkg/ciliumenvoyconfig: cleanup some slog migration (cilium/cilium#38028, @aanm)
* pkg/clustermesh: migrate to slog (cilium/cilium#38005, @aanm)
* pkg/controller: fix data race in update params locked (cilium/cilium#38327, @aanm)
* pkg/endpoint: fix GetLabels data race access (cilium/cilium#38328, @aanm)
* pkg/endpoint: fix race in unit test (cilium/cilium#38129, @squeed)
* pkg/hive/health: Set level to LevelStopped when stopping (cilium/cilium#37876, @joamaki)
* pkg/hubble: migrate to slog (cilium/cilium#37921, @aanm)
* pkg/k8s: migrate to slog (cilium/cilium#38242, @aanm)
* pkg/kvstore: migrate to slog (cilium/cilium#38156, @aanm)
* pkg/policy: migrate to slog (cilium/cilium#37988, @aanm)
* pkg/service: migrate to slog (cilium/cilium#38180, @aanm)
* pkg: loader: remove cleanup of legacy cilium_calls_xdp map (cilium/cilium#38025, @julianwiedmann)
* policy/api: use `omitzero` option for `enableDefaultDeny` field (cilium/cilium#37896, @tklauser)
* policy/group: de-duplicate derivative policy add/update/delete operations (cilium/cilium#38492, @tklauser)
* policy/groups: remove unused, always-nil return values (cilium/cilium#38363, @tklauser)
* policy: Move L7 parser type to PerSelectorPolicy (cilium/cilium#37887, @jrajahalme)
* policy: Run namespace watcher only when policies are enabled (cilium/cilium#36686, @dlapcevic)
* policy: sync policy map for fake endpoints (cilium/cilium#38367, @harsimran-pabla)
* Prepare for release v1.18.0-pre.0 (cilium/cilium#37966, @cilium-release-bot[bot])
* Propagate MODIFIERS when building hubble CLI in cilium image (cilium/cilium#38288, @HadrienPatte)
* proxy: merge package pkg/proxy/logger into pkg/proxy/accesslog (cilium/cilium#38121, @mhofstetter)
* proxy: modularize proxy access logger (cilium/cilium#38009, @mhofstetter)
* proxy: Provide DefaultDNSProxy as a Hive Cell (cilium/cilium#38020, @nathanjsweet)
* README: Post release changes (cilium/cilium#38211, @jrajahalme)
* README: Update releases (cilium/cilium#37979, @joestringer)
* Remove dependency from cilium-cli onto `pkg/datapath` and `github.com/cilium/ebpf` (cilium/cilium#38364, @tklauser)
* remove the endpointRoutes for aws cni in the doc (cilium/cilium#38381, @liyihuang)
* Remove trailing whitespace characters from helm templates (cilium/cilium#38237, @HadrienPatte)
* Report in the documentation the potential limitations (and unofficial workarounds) of Cilium with Kata Containers. (cilium/cilium#38033, @smagnani96)
* Restore and convert tests for builtins to BPF unit test framework (cilium/cilium#38414, @gentoo-root)
* Revert: ci: run each commit concurrently in lint-build-commits (cilium/cilium#37969, @devodev)
* service: selective node exposure via labelselector (cilium/cilium#37916, @mhofstetter)
* Set runtime image directory as variable in images/scripts/update-cilium-runtime-image.sh & images/Makefile (cilium/cilium#38074, @Artyop)
* Standardize hubble and cilium CLIs makefile (cilium/cilium#37716, @HadrienPatte)
* Test IPv4 and IPv6 explicitly in PodToWorld and PodToWorld2 connectivity tests (cilium/cilium#37435, @gentoo-root)
* This change decouples the payload parser from the Hubble control plane, allowing Hubble to work as a standalone component without the Cilium dataplane. (cilium/cilium#38368, @ritwikranjan)
* Throw build bug when using TRACE_{FROM,TO}_CRYPTO from unexpected files and cleanup unevaluated build_bug_on. (cilium/cilium#38470, @smagnani96)
* Update per-node-config.rst (cilium/cilium#38069, @snap87)
* Use Hive to provide resource list to k8swatcher. (cilium/cilium#37886, @rectified95)
* Use more efficient `SplitSeq` instead of `Split` (cilium/cilium#38157, @tklauser)
* uses set-runtime-image image action in release and hotfix build workflows (cilium/cilium#38549, @Artyop)
* vendor: Bump hive to latest version (cilium/cilium#38109, @joamaki)
* vendor: Revert cilium/ebpf to v0.17.1 (cilium/cilium#38334, @joestringer)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.18.0-pre.1@sha256:1dc72282d55bb44d71b3fb48f322cdfa5c6d324abc9308272721f355f8d17ed9`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.18.0-pre.1@sha256:23aaf1a99d6a634ae53494fca740021803df3f41fe7ee3e6729b65121f254b03`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.18.0-pre.1@sha256:3f7b22e8e415c81c98581009b4567f0f729ea338507735cc0fea1a8c7e23097d`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.18.0-pre.1@sha256:e1602153f212bcb1a5bfa9262ec020e2bf8b102655cdc5699ff818cad33c26c0`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.18.0-pre.1@sha256:6f654d91a87cbdc2fd670ae0e0abac54a4cc4bf54e451566798b8936abfe905c`

### operator-aws

`quay.io/cilium/operator-aws:v1.18.0-pre.1@sha256:87f3283922ac1b8049c5296f427249ca0809b21b11a16846687353b49b134878`

### operator-azure

`quay.io/cilium/operator-azure:v1.18.0-pre.1@sha256:684d9b0db4041abf631d34db5fd5e23dc5b895d96cb0c0cbee9ece8ad9f55912`

### operator-generic

`quay.io/cilium/operator-generic:v1.18.0-pre.1@sha256:f0c61a9fa825176b437204623252bb11cc97c9390ec8cd79bac620e8934224b0`

### operator

`quay.io/cilium/operator:v1.18.0-pre.1@sha256:418f5d0a2910170553eed5690d77c575ff5026a40a45d49a5c1e775a633128b5`

Summary of Changes
------------------

**Minor Changes:**
* docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37989, @oblazek)
* Increase granularity of the `api_duration_seconds` metric buckets (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37365, @jaredledvina)
* New agent option `--policy-restore-timeout` (default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources to `cilium-envoy` proxy. (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37658, @jrajahalme)
* Set json output as default for `cilium-dbg endpoint get` (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#36537, @saiaunghlyanhtet)
* Set json output as default for `cilium-dbg endpoint get` (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#36537, @saiaunghlyanhtet)

**Bugfixes:**
* Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37674, @julianwiedmann)
* Auth policy is properly maintained also when covered by proxy redirects. (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37685, @jrajahalme)
* Do not auto detect / auto select IPoIB devices (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37553, @dylandreimerink)
* Egress route reconciliation (Backport PR cilium/cilium#38118, Upstream PR cilium/cilium#37962, @dylandreimerink)
* Fix a regression that made it impossible to disable Hubble via Helm charts (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37587, @devodev)
* Fix bug causing `cilium-dbg bpf` commands to fail with a map not found error in IPv6-only clusters. (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37787, @pchaigno)
* Fix creating ServiceMonitor for Hubble when dynamic metrics are enabled in the Helm chart (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37474, @dustinspecker)
* Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37419, @javanthropus)
* Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#36978, @tommasopozzetti)
* Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37818, @haozhangami)
* Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37543, @rectified95)
* Fix service id exceeds max limit (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37191, @haozhangami)
* Fix the `--dns-policy-unload-on-shutdown` feature for restored endpoints (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37532, @antonipp)
* Fix the possible race condition caused by async update from aws to instance map in issue #36428 (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37650, @liyihuang)
* Fix traffic not getting masqueraded with wildcard devices or egress-masquerade-interfaces when enable-masquerade-to-route-source flag is set. (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37450, @liyihuang)
* fix(helm): multiPoolPreAllocation fix conditional avoid null (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37585, @acelinkio)
* fix: cilium-config configmap was incorrectly resulting in values like `2.09715…2e+06` instead of `2097152` (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37236, @dee-kryvenko)
* fix: duplicate label maps in helm chart templates and add missing commonlabels (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37693, @cmergenthaler)
* Fix: Resolved an issue causing ArgoCD to report constant out-of-sync status due to the hasKey check in Helm. The condition has been simplified to ensure proper synchronization. No functional changes to deployments. (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37536, @nicl-dev)
* Fixed Envoy JSON log format conversion in Helm, preventing crashes. (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37656, @kahirokunn)
* helm: fix large number handling (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37670, @justin0u0)
* hubble: escape terminal special characters from observe output (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37401, @devodev)
* hubble: fix locking of hubble metrics registry for dynamically configured metrics (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37923, @marseel)
* identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#36657, @oblazek)
* ipam/multi-pool: Periodically perform pool maintenance (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37895, @gandro)
* operator: explicit controller-runtime controller names to avoid naming conflicts (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37606, @mhofstetter)
* operator: Fix duplicate configurations (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37293, @joestringer)
* Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#38029, @julianwiedmann)
* Updated Gateway API and GAMMA processing to remove incorrect behavior when both parentRefs were present. (Backport PR cilium/cilium#38154, Upstream PR cilium/cilium#38143, @youngnick)
* Workaround for iptables 1.8.10, used in OpenShift 4.16, 4.17 and 4.18, returning a wrong error message `iptables: Incompatible with this kernel` to `iptables -n -L CHAIN` when the chain does not exist. This prevents iptables configuration and induced unnecessary loops and log messages. (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37749, @fgiloux)

**CI Changes:**
* .github: Remove misleading step from ipsec workflow (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37681, @joestringer)
* .github: s/enbaled/enabled/ (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37449, @chansuke)
* bgpv1: wait for watchers to be ready in tests (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37884, @harsimran-pabla)
* CI: GKE backslash missing disable insecure kubelet (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37850, @auriaave)
* CI: GKE, disable insecure kubelet readonly port (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37844, @auriaave)
* ci: switch to monitor aggregation medium (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#38036, @marseel)
* gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37551, @jschwinger233)
* gh: ipsec-e2e: add concurrency for connectivity tests (Backport PR cilium/cilium#37925, Upstream PR cilium/cilium#37891, @julianwiedmann)
* gh: update naming for bpftrace leak detection script (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37865, @julianwiedmann)

**Misc Changes:**
* always render enable-hubble in the Cilium configmap (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37703, @kaworu)
* bpf: Add option to utilize core maps via BPF_F_NO_COMMON_LRU (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#38037, @borkmann)
* bpf: minor clean-ups for the ENI symmetric routing feature (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37379, @julianwiedmann)
* chore(deps): update all github action dependencies (v1.17) (cilium/cilium#37950, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#37944, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#38048, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.17.0 (v1.17) (cilium/cilium#37793, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.17) (cilium/cilium#37949, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.17) (cilium/cilium#38057, @cilium-renovate[bot])
* chore(deps): update go to v1.23.7 (v1.17) (cilium/cilium#37996, @cilium-renovate[bot])
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.17) (cilium/cilium#37833, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.17) (cilium/cilium#38148, @cilium-renovate[bot])
* cilium-dbg: output parentIfIndex in bpf endpoint list (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37398, @Mahdi-BZ)
* cilium: Allow to configure tunnel source port range (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37777, @borkmann)
* cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37808, @borkmann)
* docs: complete load balancer service manifest in kubeproxy-free (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37466, @ybelleguic)
* docs: fix broken links (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37995, @nueavv)
* docs: masquerading: mention that BPF masq also pulls in BPF Host-Routing (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37604, @julianwiedmann)
* docs: use latest for rtd theme commit with fixed version selector (Backport PR cilium/cilium#37614, Upstream PR cilium/cilium#37421, @ayuspin)
* envoy: remove duplicated service/endpointslice informers when envoyConfig is enabled (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37683, @marseel)
* Fix API generation and add trusted dependencies to renovate config (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#36957, @aanm)
* Fix API generation and add trusted dependencies to renovate config (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#36957, @aanm)
* Fix helm value for IPAM Multi-Pool (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37963, @saintdle)
* fqdn/dnsproxy: use `netip.Addr` for `DNSProxy.usedServers` (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#37985, @tklauser)
* gha: Update the helm flag for TLS related test (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37428, @sayboras)
* ipcache: Slightly optimize calls to fetch tunnel and encrypt metadata (Backport PR cilium/cilium#38104, Upstream PR cilium/cilium#38021, @christarazi)
* labels: fix TestNewFrom test (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37846, @giorio94)
* Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37399, @ritwikranjan)
* operator: Explicitly init the FQDN regex LRU cache (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37366, @christarazi)
* pkg/hive: always use default logger when decorating cells (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37636, @aanm)
* policy: Skip iteration when proxy port priority is zero (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37422, @jrajahalme)
* Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR cilium/cilium#37904, Upstream PR cilium/cilium#37806, @rolinh)
* Update Hubble UI to v0.13.2 which contains security fixes, add the missing traffic direction in the flow table, and enhance the home namespace list. See [v0.13.2](https://github.com/cilium/hubble-ui/releases/tag/v0.13.2) for more details (Backport PR cilium/cilium#37742, Upstream PR cilium/cilium#37631, @yannikmesserli)
* use runtime image set by env var action in build and lint (Backport PR cilium/cilium#37648, Upstream PR cilium/cilium#37253, @Artyop)

**Other Changes:**
* [v1.17] Revert "Fix dropped NodePort traffic to hostNetwork backends with Geneve+DSR" (cilium/cilium#38101, @julianwiedmann)
* Backport set runtime action 1.17 (cilium/cilium#37854, @Artyop)
* gha: Update GatewayAPI conformance report (cilium/cilium#37671, @sayboras)
* install: Update image digests for v1.17.1 (cilium/cilium#37580, @cilium-release-bot[bot])
* v1.17: gh/workflows: Remove conformance-externalworkloads (cilium/cilium#37738, @brb)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.2@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1`
`quay.io/cilium/cilium:stable@sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.2@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.2@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c`
`quay.io/cilium/docker-plugin:stable@sha256:a599893f1fc76fc31afad2bbb73af7e7f618adbf02043b2098fafeca4adf551c`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.2@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc`
`quay.io/cilium/hubble-relay:stable@sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.2@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe`
`quay.io/cilium/operator-alibabacloud:stable@sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.2@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c`
`quay.io/cilium/operator-aws:stable@sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.2@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0`
`quay.io/cilium/operator-azure:stable@sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.2@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249`
`quay.io/cilium/operator-generic:stable@sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249`

### operator

`quay.io/cilium/operator:v1.17.2@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419`
`quay.io/cilium/operator:stable@sha256:697a7e6c4765ef053d33dd2d9d7f14642c01dfa7333ad7902de7ca5afbf3b419`

Summary of Changes
------------------

**Minor Changes:**
* docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR cilium/cilium#38106, Upstream PR cilium/cilium#37989, @oblazek)
* Increase granularity of the `api_duration_seconds` metric buckets (Backport PR cilium/cilium#38014, Upstream PR cilium/cilium#37365, @jaredledvina)

**Bugfixes:**
* Do not auto detect / auto select IPoIB devices (Backport PR cilium/cilium#37647, Upstream PR cilium/cilium#37553, @dylandreimerink)
* Egress route reconciliation (Backport PR cilium/cilium#38120, Upstream PR cilium/cilium#37962, @dylandreimerink)
* Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR cilium/cilium#37900, Upstream PR cilium/cilium#37419, @javanthropus)
* Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR cilium/cilium#37900, Upstream PR cilium/cilium#37818, @haozhangami)
* Fix the `--dns-policy-unload-on-shutdown` feature for restored endpoints (Backport PR cilium/cilium#37647, Upstream PR cilium/cilium#37532, @antonipp)
* fix: cilium-config configmap was incorrectly resulting in values like `2.09715…2e+06` instead of `2097152` (Backport PR cilium/cilium#37647, Upstream PR cilium/cilium#37236, @dee-kryvenko)
* Fix: cilium-operator no longer patches services on shutdown (Backport PR cilium/cilium#38106, Upstream PR cilium/cilium#37967, @rsafonseca)
* helm: fix large number handling (Backport PR cilium/cilium#37743, Upstream PR cilium/cilium#37670, @justin0u0)
* hubble: escape terminal special characters from observe output (Backport PR cilium/cilium#37647, Upstream PR cilium/cilium#37401, @devodev)
* identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (Backport PR cilium/cilium#38014, Upstream PR cilium/cilium#36657, @oblazek)
* Restore aggregration of network trace events for Egress Gateway reply traffic on the gateway node (Backport PR cilium/cilium#38106, Upstream PR cilium/cilium#38029, @julianwiedmann)

**CI Changes:**
* .github: Remove misleading step from ipsec workflow (Backport PR cilium/cilium#37743, Upstream PR cilium/cilium#37681, @joestringer)
* bgpv1: wait for watchers to be ready in tests (Backport PR cilium/cilium#38014, Upstream PR cilium/cilium#37884, @harsimran-pabla)
* ci: add leak detection to conformance-ipsec-upgrade (Backport PR cilium/cilium#36575, Upstream PR cilium/cilium#36377, @smagnani96)
* CI: GKE backslash missing disable insecure kubelet (Backport PR cilium/cilium#37900, Upstream PR cilium/cilium#37850, @auriaave)
* CI: GKE, disable insecure kubelet readonly port (Backport PR cilium/cilium#37900, Upstream PR cilium/cilium#37844, @auriaave)
* ci: switch to monitor aggregation medium (Backport PR cilium/cilium#38106, Upstream PR cilium/cilium#38036, @marseel)
* Cleanups after LLVM upgrade. (Backport PR cilium/cilium#37801, Upstream PR cilium/cilium#32067, @gentoo-root)

**Misc Changes:**
* [v1.16] docs: Update requirements.txt dependencies (cilium/cilium#37616, @joestringer)
* allocator: correctly propagate context to RunGC call (Backport PR cilium/cilium#37743, Upstream PR cilium/cilium#36034, @giorio94)
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#37952, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#37997, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#38049, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.16) (cilium/cilium#37951, @cilium-renovate[bot])
* chore(deps): update go to v1.23.7 (v1.16) (cilium/cilium#37998, @cilium-renovate[bot])
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.16) (cilium/cilium#37834, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.16) (cilium/cilium#38149, @cilium-renovate[bot])
* docs: fix broken links (Backport PR cilium/cilium#38106, Upstream PR cilium/cilium#37995, @nueavv)
* Fix API generation and add trusted dependencies to renovate config (Backport PR cilium/cilium#37647, Upstream PR cilium/cilium#36957, @aanm)
* Fix helm value for IPAM Multi-Pool (Backport PR cilium/cilium#38014, Upstream PR cilium/cilium#37963, @saintdle)
* labels: fix TestNewFrom test (Backport PR cilium/cilium#37900, Upstream PR cilium/cilium#37846, @giorio94)
* Moves Unix socket listener configuration to a new file specifically for Linux builds. (Backport PR cilium/cilium#37647, Upstream PR cilium/cilium#37399, @ritwikranjan)
* Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR cilium/cilium#37900, Upstream PR cilium/cilium#37806, @rolinh)
* wireguard: attach Ingress program for native routing mode configurations (Backport PR cilium/cilium#38117, Upstream PR cilium/cilium#37108, @julianwiedmann)

**Other Changes:**
* [v1.16] images: update cilium-{runtime,builder} (cilium/cilium#38054, @julianwiedmann)
* install: Update image digests for v1.16.7 (cilium/cilium#37709, @cilium-release-bot[bot])
* v1.16: gh/workflows: Remove conformance-externalworkloads (cilium/cilium#37739, @brb)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.8@sha256:569ec9056ef2e3b283edb508b31e4ff04058cb7bd551cc9433512ebdef07804d`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.8@sha256:5ea1c42de93879a853e35a1287dfc0c2bcf912fcdc8ce092dfb322819123c8ea`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.8@sha256:74664fa646f3fe6b8615830b21073602dece8b5397db7384b5aa0e585857265e`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.8@sha256:498c04894fc95b6792d713dfb5e11aad236d41433710ddf73425483e855170be`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.8@sha256:409009711eab9e0f97c13c67c9b18aa48be130d970f09b067e1ae35df24b2252`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.8@sha256:c596b30650899c5ecde8b114e0a4e8679f83122c2477056d8d437df78b7a981b`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.8@sha256:c9dc8757e5941c72764b4a73d39c270378f156cc005722db95c77e0d1897dd04`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.8@sha256:86c879ed25396a992fb8bf0297289f0b61f30f9a4a260f483abbdb39d919644d`

### operator

`quay.io/cilium/operator:v1.16.8@sha256:c2b0716672ce2bf68c2679c8b98ddab4c80f2c6891560e538ce4e117240ba220`

Summary of Changes
------------------

**Minor Changes:**
* docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR cilium/cilium#38107, Upstream PR cilium/cilium#37989, @oblazek)

**Bugfixes:**
* Egress route reconciliation (Backport PR cilium/cilium#38124, Upstream PR cilium/cilium#37962, @dylandreimerink)
* Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR cilium/cilium#37899, Upstream PR cilium/cilium#37419, @javanthropus)
* Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR cilium/cilium#37899, Upstream PR cilium/cilium#37818, @haozhangami)
* Fix: cilium-operator no longer patches services on shutdown (Backport PR cilium/cilium#38107, Upstream PR cilium/cilium#37967, @rsafonseca)

**CI Changes:**
* .github: Remove misleading step from ipsec workflow (Backport PR cilium/cilium#37744, Upstream PR cilium/cilium#37681, @joestringer)
* ci: add leak detection to conformance-ipsec-upgrade (Backport PR cilium/cilium#36576, Upstream PR cilium/cilium#36377, @smagnani96)
* CI: GKE backslash missing disable insecure kubelet (Backport PR cilium/cilium#37899, Upstream PR cilium/cilium#37850, @auriaave)
* CI: GKE, disable insecure kubelet readonly port (Backport PR cilium/cilium#37899, Upstream PR cilium/cilium#37844, @auriaave)
* ci: switch to monitor aggregation medium (Backport PR cilium/cilium#38107, Upstream PR cilium/cilium#38036, @marseel)
* Cleanups after LLVM upgrade. (Backport PR cilium/cilium#37800, Upstream PR cilium/cilium#32067, @gentoo-root)

**Misc Changes:**
* .github: add missing files to build-image base images (cilium/cilium#38066, @aanm)
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#37954, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#37999, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#38050, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.15) (cilium/cilium#37953, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.15) (cilium/cilium#38078, @cilium-renovate[bot])
* chore(deps): update go to v1.23.7 (v1.15) (cilium/cilium#38000, @cilium-renovate[bot])
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (v1.15) (cilium/cilium#37835, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.15) (cilium/cilium#38150, @cilium-renovate[bot])
* docs: fix broken links (Backport PR cilium/cilium#38107, Upstream PR cilium/cilium#37995, @nueavv)
* Fix helm value for IPAM Multi-Pool (Backport PR cilium/cilium#38013, Upstream PR cilium/cilium#37963, @saintdle)
* images: update cilium-runtime/builder images (cilium/cilium#38186, @jrajahalme)
* Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR cilium/cilium#37899, Upstream PR cilium/cilium#37806, @rolinh)

**Other Changes:**
* [v1.15] Revert "chore(deps): update dependency cilium/cilium-cli to v0.18.0" (cilium/cilium#38004, @julianwiedmann)
* install: Update image digests for v1.15.14 (cilium/cilium#37710, @cilium-release-bot[bot])
* v1.15: gh/workflows: Remove conformance-externalworkloads (cilium/cilium#37740, @brb)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.15@sha256:d389a21c8ceefbb86e7f1a15b18a5a6a5b372431b2528314fa456133a7617e7a`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.15@sha256:cec3446d019af240d99ae14f8550fb7f59c02066535130f4b609fadb5b63f79b`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.15@sha256:abe0e3fb8f3826e21b93cba3b5b8bc153b8bc50f7b7a1defd8dee01ae3a87898`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.15@sha256:2dd532b06f802303634515172c40592d79e06cfad579c98411ad976879a0c099`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.15@sha256:023a341d0b873321a952dc3526be791db212a261e3de8e5c38064cc4a17da096`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.15@sha256:fdffd54ba7d2ded8d893b14d37c4afdf29bf2c6404f2da3d1eba0bab788972fc`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.15@sha256:e34a52ca2503ef9168a2710431c341b780c55303aabea7d4183bc619d4ce0ed9`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.15@sha256:6f107958d9028a5a43efa7aaef941b3ae7f7e8f479ff9e4408b116a5eda56abe`

### operator

`quay.io/cilium/operator:v1.15.15@sha256:99d7fceaf5814dfe5aae37e6dcd55ed75ac937dd5ce8e347c0dc8ad169cd7559`

Summary of Changes
------------------

**Major Changes:**
* Added an experimental xDS client library (cilium/cilium#34484, @AwesomePatrol)
* bandwidth: support ingress rate limiting using eBPF token bucket (cilium/cilium#36351, @l1b0k)
* Introduces cilium-config ConfigMap monitoring, allowing the agent to automatically synchronize changes in designated sources with its in-memory database. A new drift checker compares the ingested configurations with the agent's configuration, logging any differences and publishing metrics for easy tracking of configuration drifts. (cilium/cilium#36510, @ovidiutirla)

**Minor Changes:**
* .Values.bpf.autoMount.enabled now functions as documented, and only serves to automatically mount the BPF FS in an initContainer if it was not already present on the host. If it was already present on the host, this value can be set to false to achieve a fully non-privileged deployment. (cilium/cilium#37733, @rptaylor)
* ``cilium_agent_bootstrap_seconds`` metric type changed from histogram to gauge (cilium/cilium#37576, @giorio94)
* Add a hook point to an early stage of XDP path (cilium/cilium#37873, @aspsk)
* Add Hubble export compression to Helm chart (cilium/cilium#36490, @ozerovandrei)
* add scrapeTimeout to serviceMonitors in helm (cilium/cilium#37789, @itspooya)
* Added possibility to run kvstoremesh with external etcd. (cilium/cilium#36216, @balous)
* Adds support for the CNI STATUS operation (https://github.com/containernetworking/cni/blob/main/SPEC.md#status-check-plugin-status) (cilium/cilium#37028, @architkulkarni)
* Adds the ability to reference a ConfigMap to get the Kubernetes Service Endpoint when installing with Helm. (cilium/cilium#37305, @kejne)
* Allow cilium to use eBPF ring buffers from Go and eBPF sides (cilium/cilium#37872, @aspsk)
* api: Conditionally register GatewayAPI related CRDs (cilium/cilium#37767, @sayboras)
* bgp: Introducing mac address based router-id generation. (cilium/cilium#36451, @yushoyamaguchi)
* bgp: report reconcile errors in CiliumBGPNodeConfig conditions. (cilium/cilium#37486, @harsimran-pabla)
* BGPv2:  Support overlapping selector matches on CiliumBGPAdvertisement (cilium/cilium#36414, @dswaffordcw)
* bgpv2: add support for node-specific LocalASN in CiliumBGPNodeConfigOverride (cilium/cilium#36597, @bblackburn)
* bgpv2: Allow setting LocalPort from ClusterConfig (cilium/cilium#37476, @YutaroHayakawa)
* bpf: nat: support ICMPV6_DEST_UNREACH in egress path (cilium/cilium#37766, @julianwiedmann)
* Cilium CLI IPsec fixes (cilium/cilium#37018, @viktor-kurchenko)
* Cilium CLI now captures Tetragon helm data when performing `cilium sysdump`. (cilium/cilium#36749, @f1ko)
* cilium-cli/sysdump: relax extra-label-selectors to target all namespaces (cilium/cilium#37715, @giorio94)
* cilium-cli: collect Cilium Agent logs from crashing / not ready / restarted pods (cilium/cilium#37013, @marseel)
* cilium-dbg: add logging options (cilium/cilium#36802, @antonipp)
* CiliumEndpointSlice: batching mode defaults to first-come-first-serve mode and identity-based mode was removed (cilium/cilium#37211, @marseel)
* cli: Add support for helm --max-history command line flag (cilium/cilium#36677, @marcofranssen)
* cli: aws mixed nodes install fix (cilium/cilium#36336, @viktor-kurchenko)
* cli: Improve fetching of Cilium component logs in failure scenarios (cilium/cilium#37160, @joestringer)
* cli: restrict conn test to ip families (cilium/cilium#37000, @viktor-kurchenko)
* clustermesh: add annotations and labels sync to MCS-API (cilium/cilium#36308, @MrFreezeex)
* Collect a histogram and show the distribution of the number of attempts needed to allocate a port for SNAT. (cilium/cilium#36730, @gentoo-root)
* connectivity health checking: introduce dynamic probing interval based on cluster size and configurable probing frequency for improved performance at scale (cilium/cilium#36175, @jshr-w)
* Enable client-go exponential backoff in cilium agent by default. (cilium/cilium#36648, @wedaly)
* envoy add stream idle timeout configuration option (cilium/cilium#34592, @chengjoey)
* envoy: Bump envoy to 1.32.3 (cilium/cilium#36743, @sayboras)
* Explicitly display protocol for ICMP packet drop notifications (cilium/cilium#37549, @antonipp)
* Extend cilium-cli connectivity perf to allow testing egress gateway performance (cilium/cilium#37748, @giorio94)
* fix: Change CNI CHECK Error Code from 1 to 101 (cilium/cilium#37001, @architkulkarni)
* gateway-api: Add support for ParametersRef in GatewayClass (cilium/cilium#37402, @sayboras)
* gateway-api: Reconcile for All Routes changes (cilium/cilium#37798, @sayboras)
* gateway-api: Support LoadBalancerSourceRangesPolicy in CGCC (cilium/cilium#37792, @sayboras)
* helm: add configuration for node-labels (cilium/cilium#36662, @oblazek)
* Helm: adjust hubble relay securityContext to adhere to restricted Pod Security Standards. (cilium/cilium#37571, @rptaylor)
* Helm: Cilium agent startup probe failure threshold increased to 300 (cilium/cilium#36897, @soggiest)
* hubble-relay: remove deprecated dial-timeout flag (cilium/cilium#37314, @devodev)
* hubble: accurately report startup failure reason from cilium status (cilium/cilium#37567, @devodev)
* k8s: add support for annotations on cilium-secret namespaces (cilium/cilium#37482, @1602077)
* KVStoreMesh: Optimize cross-cluster state distribution by only synchronizing identities keyed by ID, not by value (cilium/cilium#36471, @HadrienPatte)
* metrics: add pressure metric for fragmentation map (cilium/cilium#37657, @Jack-R-lantern)
* New agent option `--policy-restore-timeout` (default 3m) has been added to bound the maximum time Cilium agent waits for endpoint policies to regenerate before starting serving resources to `cilium-envoy` proxy. (cilium/cilium#37658, @jrajahalme)
* Remove external-workload feature from Cilium and cilium-cli. Use previous version of cilium-cli if needed to provision unsupported external-workload clusters. (cilium/cilium#37418, @brb)
* Remove high-scale ipcache mode (cilium/cilium#36898, @pchaigno)
* Replace the deprecated workqueue with the generic TypedWorkqueue (cilium/cilium#37269, @alvaroaleman)
* Significantly improve processing of egress gateway policies matching a large number of pods (cilium/cilium#37714, @giorio94)
* Significantly reduce memory usage during cilium-cli sysdump collection (cilium/cilium#36987, @giorio94)
* The .Values.name variable to optionally configure agent pod names now functions as intended. (cilium/cilium#37572, @rptaylor)
* The Policy section of the Cilium Grafana dashboard has been improved to show more relevant graphs. (cilium/cilium#36492, @squeed)
* Update Azure go SDK (cilium/cilium#36751, @HadrienPatte)
* Use batched iterator for CTMap GC (cilium/cilium#36288, @tommyp1ckles)
* When allocating a source port for SNAT, reduce the number of retry attempts from 128 to 32. (cilium/cilium#37389, @gentoo-root)
* xds: Add ack and nack metrics (cilium/cilium#37078, @sayboras)

**Bugfixes:**
* Apply Egress bandwith-limiting only once for traffic that is matched by an Egress Gateway policy. (cilium/cilium#37674, @julianwiedmann)
* Auth policy is properly maintained also when covered by proxy redirects. (cilium/cilium#37685, @jrajahalme)
* Cilium CLI fix for AWS ENI mode (cilium/cilium#36887, @viktor-kurchenko)
* datapath: Prefer IPv6 global address to link-local for direct routing. (cilium/cilium#37839, @sypakine)
* Fix bug causing `cilium-dbg bpf` commands to fail with a map not found error in IPv6-only clusters. (cilium/cilium#37787, @pchaigno)
* Fix creation and deletion of host port maps that would occasionally leave pods without them (cilium/cilium#37419, @javanthropus)
* Fix detection of iptables features on kernels with modules disabled. (cilium/cilium#36321, @gentoo-root)
* Fix envoy metrics could not be obtained on IPv6-only clusters (cilium/cilium#37818, @haozhangami)
* Fix helm charts to properly configure tls and peer service for dynamic Hubble metrics. (cilium/cilium#37543, @rectified95)
* Fix the possible race condition caused by async update from aws to instance map in issue #36428 (cilium/cilium#37650, @liyihuang)
* identity: fix bug where fromNodes/toNodes could be used to allow custom endpoint (cilium/cilium#36657, @oblazek)
* Skip rate limiting endpoint deletion when container has already been deleted. (cilium/cilium#36645, @sypakine)
* Stop TLS Interception config being included in preflight (cilium/cilium#37820, @youngnick)
* When cilium-operator managing identities is enabled, cilium-operator LISTs CiliumEndpointSlice only if CES is enabled. (cilium/cilium#36409, @wedaly)

**CI Changes:**
* .github: Run BPF Linters on changes to infra (cilium/cilium#37755, @joestringer)
* .github: Use --interactive=false more widely (cilium/cilium#37392, @joestringer)
* .github: Use dedicated go cache on CI (cilium/cilium#37783, @joestringer)
* Add --external-other-target parameter to cilium CLI connectivity tests. (cilium/cilium#36080, @wedaly)
* Add EGW masquerade delay scale test (cilium/cilium#34431, @learnitall)
* Add explicit IPv6 testing to PodToService cilium-cli connectivity test (cilium/cilium#37544, @saiaunghlyanhtet)
* adds cilium-runtime as environment variable (cilium/cilium#37208, @Artyop)
* ariane: Stop running v1.14 GitHub workflows (cilium/cilium#37807, @joestringer)
* bgpv1: Extend adverts tests duration timeout (cilium/cilium#37284, @rastislavs)
* bgpv1: wait for watchers to be ready in tests (cilium/cilium#37884, @harsimran-pabla)
* bgpv2: Test_MergeRoutePolicies statements can be unordered (cilium/cilium#36846, @harsimran-pabla)
* bpf: tests: populate L4 protocol in service entries (cilium/cilium#37883, @julianwiedmann)
* call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (cilium/cilium#37362, @Artyop)
* Change client-egress-l7-tls tests to sequential because flaky (cilium/cilium#36568, @youngnick)
* ci-aks: Enable dual-stack in Conformance AKS (cilium/cilium#37704, @gandro)
* ci: fix base image build CI (cilium/cilium#37840, @nbusseneau)
* CI: GKE backslash missing disable insecure kubelet (cilium/cilium#37850, @auriaave)
* CI: GKE, disable insecure kubelet readonly port (cilium/cilium#37844, @auriaave)
* ci: increase global timeout for Envoy Embedded github action workflow (cilium/cilium#37752, @mhofstetter)
* ci: set --interactive=false for cilium status in delegated ipam e2e (cilium/cilium#37368, @wedaly)
* cilium-cli/connectivity: additionally check for container restarts (cilium/cilium#36299, @giorio94)
* cilium-cli/connectivity: Fix output for LRP tests (cilium/cilium#37893, @pchaigno)
* cilium-cli/connectivity: only check container restarts on v1.17+ (cilium/cilium#37823, @giorio94)
* cilium-cli: Add envoy log pattern in error check (cilium/cilium#36498, @sayboras)
* cilium-cli: add explicit IPv6 testing to PodToK8sLocal (cilium/cilium#37461, @saiaunghlyanhtet)
* cilium-cli: extend no-interrupted-connections to test NodePort from outside (cilium/cilium#37294, @ysksuzuki)
* cilium-cli: Fix GITHUB_WORKFLOW_REF parsing (cilium/cilium#37686, @joestringer)
* cli: Attribute test failures outside of action failures (cilium/cilium#37757, @joestringer)
* CLI: Attribute tests to codeowners (cilium/cilium#37027, @joestringer)
* cli: Clean up Makefile (cilium/cilium#37911, @michi-covalent)
* cli: connectivity: Log tcpdump cmd on error (cilium/cilium#37822, @jschwinger233)
* CODEOWNERS: Assign ownership for cloud teams (cilium/cilium#37781, @joestringer)
* Configure renovate to update all cloud provider SDKs monthly (cilium/cilium#37087, @HadrienPatte)
* connectivity: Add retry all error for L7 header related test (cilium/cilium#37010, @sayboras)
* contrib: Reverse default for running builder as root (cilium/cilium#37756, @joestringer)
* datapath/linux: Refactor device controller tests to use scripttest (cilium/cilium#37826, @rastislavs)
* Egress Gateway performance testing (cilium/cilium#37753, @giorio94)
* Enable dual stack k8s conformance testing (cilium/cilium#37559, @dylandreimerink)
* endpoint: enable tests run multiple times (cilium/cilium#36931, @jrajahalme)
* Fix egress device computation in cli connectivity pod-to-pod-encryption-v2 tests for AWS chaining mode. (cilium/cilium#37680, @smagnani96)
* gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (cilium/cilium#37551, @jschwinger233)
* gh: e2e-upgrade: don't explicitly enable BPF masquerading with KPR=true (cilium/cilium#36865, @julianwiedmann)
* gh: e2e-upgrade: don't skip upgrade for netkit configs (cilium/cilium#36746, @julianwiedmann)
* gh: e2e-upgrade: enable HostFW in config 5 (cilium/cilium#36745, @julianwiedmann)
* gh: fix network performance testing (cilium/cilium#37875, @marseel)
* gh: ipsec-upgrade: use node-specific boot ID (cilium/cilium#37639, @julianwiedmann)
* gh: ipsec-upgrade: use node-specific boot ID (part 2) (cilium/cilium#37667, @julianwiedmann)
* gh: remove some v1.14 parts (cilium/cilium#37493, @julianwiedmann)
* gh: update naming for bpftrace leak detection script (cilium/cilium#37865, @julianwiedmann)
* gha/scale-egw: fix waiting for images availability (cilium/cilium#37922, @giorio94)
* gha: use /test to trigger tests in stable branches (cilium/cilium#36672, @giorio94)
* gha: Use ubuntu-24.04 for all workflows (cilium/cilium#36653, @sayboras)
* Ignore encrypt interface field when validating option.Config after initialization (cilium/cilium#37184, @Artyop)
* ipsec: Fix XFRM leak test for encrypted overlay (cilium/cilium#37307, @pchaigno)
* labelsfilter: Update the unit test with the doc example (cilium/cilium#36566, @liyihuang)
* lint-build-commits: Skip full Hubble build for intermediate commits (cilium/cilium#37750, @gandro)
* Miscellaneous improvements to the Egress Gateway scale test (cilium/cilium#37611, @giorio94)
* Miscellaneous improvements to the Egress Gateway scale test (part 2) (cilium/cilium#37867, @giorio94)
* Miscellaneous improvements to the setup-eks-cluster GH action (cilium/cilium#37640, @giorio94)
* renovate: Bump cilium-envoy version for stable branches (cilium/cilium#37158, @sayboras)
* renovate: pin renovate image version in config validator workflow (cilium/cilium#36914, @tklauser)
* Revert "renovate: exclude complexity-test image on v1.14 / v1.15" (cilium/cilium#36696, @tklauser)
* Revert runtime image preparation via environment variables (cilium/cilium#37156, @joestringer)
* Set runtime image in an action outside of env variable settings (cilium/cilium#37595, @Artyop)
* tables: deflake direct routing device test (cilium/cilium#37220, @bimmlerd)
* test/fuzzing: Fix fuzzing test failure (cilium/cilium#37159, @christarazi)
* test: Add negative test case for TLS SNI (cilium/cilium#37122, @sayboras)
* test: Move tgraf/netperf image to Quay (cilium/cilium#37458, @pchaigno)
* test: Remove RuntimeSSHTests (cilium/cilium#37860, @joestringer)
* test: remove unused registry-adder chart (cilium/cilium#36986, @tklauser)
* Update CI Chart Push workflow mechanism to workflow_call (cilium/cilium#37030, @chancez)
* workflows/e2e: Revert bpf/bpf-next image updates (cilium/cilium#37485, @pchaigno)
* workflows/ipsec: Fix key count in case of EO (cilium/cilium#37451, @pchaigno)
* workflows: Merge Hubble build in build workflow (cilium/cilium#37414, @pchaigno)
* workflows: Remove External Workload coverage (cilium/cilium#37447, @pchaigno)

**Misc Changes:**
* .github: generate feature summary report from CI (cilium/cilium#36933, @aanm)
* [docs] Improve the Quick Start dev setup section (cilium/cilium#36646, @pmatulis)
* add cilium-runtime image prefix to env var (cilium/cilium#37802, @Artyop)
* Add Docaposte to USERS.md (cilium/cilium#36811, @albundy83)
* Add Guidewire inc to the adopters (cilium/cilium#37128, @shreyasHpandya)
* Add SINAD to the adopters (cilium/cilium#37176, @arezki-ouhenia)
* Add sloglint and fix issues (cilium/cilium#37851, @aanm)
* Add TRACE_{FROM/TO}_CRYPTO observation point and bpf metrics for packets forwarded-to/received-from Wireguard. (cilium/cilium#34958, @smagnani96)
* Added EvoCloud to the list of USERS.md (cilium/cilium#37499, @geanttechnology)
* always render enable-hubble in the Cilium configmap (cilium/cilium#37703, @kaworu)
* api/v1: remove unused generated deepcopy methods (cilium/cilium#36667, @tklauser)
* Azure IPAM: Improve operation at scale by using better APIs to resync individual instances as required, rather than resyncing all instances (cilium/cilium#37430, @HadrienPatte)
* bgp: Decouple CRD from Router interface (cilium/cilium#37396, @YutaroHayakawa)
* bgp: improve reconciler error handling (cilium/cilium#37420, @harsimran-pabla)
* bgpv1: Extend component test timeout (cilium/cilium#37370, @YutaroHayakawa)
* bgpv2: decouple instance registration and reconcile errors (cilium/cilium#36934, @harsimran-pabla)
* bgpv2: Pass copy of BGPNodeConfig to reconcilers (cilium/cilium#36595, @rastislavs)
* bgpv2: SortRouteStatementsByName to use cmp pkg for sorting (cilium/cilium#36888, @harsimran-pabla)
* bpf/encap: Avoid checking `encrypt_key` twice (cilium/cilium#36844, @pchaigno)
* bpf/tests: remove leftover debug statements (cilium/cilium#37011, @rgo3)
* bpf: clean up use of ENABLE_ROUTING in non-endpoint programs (cilium/cilium#37049, @julianwiedmann)
* bpf: egressgw: let gateway node identify reply traffic as WORLD_ID (cilium/cilium#36911, @julianwiedmann)
* bpf: Fix RFC reference for NAT64 (cilium/cilium#37050, @qmonnet)
* bpf: harmonize cilium_host / cilium_net macro naming (cilium/cilium#37082, @julianwiedmann)
* bpf: host: clean up redundant check for ipcache match (cilium/cilium#37019, @julianwiedmann)
* bpf: host: defer dmac rewrite in from-host path (cilium/cilium#37324, @julianwiedmann)
* bpf: host: identify Cilium's Wireguard traffic as from HOST (cilium/cilium#37956, @julianwiedmann)
* bpf: Lift bind rejection for L7 services going via Envoy (cilium/cilium#37183, @borkmann)
* bpf: lxc: minor cleanups in proxy-related ingress path (cilium/cilium#37842, @julianwiedmann)
* bpf: lxc: remove stale comment regarding rev_nat_index for loopback packet (cilium/cilium#37918, @julianwiedmann)
* bpf: Makefile improvement (cilium/cilium#36956, @viktor-kurchenko)
* bpf: move some conditional includes, simplify SECLABEL, remove elf-demo.c (cilium/cilium#37207, @ti-mo)
* bpf: nat: cosmetic improvements for snat_v*_needs_masquerade() (cilium/cilium#37547, @julianwiedmann)
* bpf: nat: ICMP v4 improvements (cilium/cilium#36767, @julianwiedmann)
* bpf: nat: simplify local_ep path in snat_v*_needs_masquerade() (cilium/cilium#36879, @julianwiedmann)
* bpf: nodeport: improve checks for !defined(IS_BPF_OVERLAY) (cilium/cilium#36971, @julianwiedmann)
* bpf: overlay: report REMOTE_NODE_ID when forwarding service replies (cilium/cilium#37017, @julianwiedmann)
* bpf: reduce CTX_ACT_DROP usage in datapath (cilium/cilium#37573, @julianwiedmann)
* bpf: remove guards around CILIUM_NET_IFINDEX / CILIUM_HOST_MAC (cilium/cilium#37323, @julianwiedmann)
* bpf: Remove misnamed `node_id` variable (cilium/cilium#36842, @pchaigno)
* bpf: Remove unnecessary `__maybe_unused` (cilium/cilium#36843, @pchaigno)
* bpf: remove unused world_cidrs_key4 (cilium/cilium#37075, @julianwiedmann)
* bpf: tests: add ctx_{mark_}is_wireguard helper tests (cilium/cilium#35899, @smagnani96)
* bugtool: document removal of k8s-mode in upgrade guide (cilium/cilium#37699, @mhofstetter)
* bugtool: remove k8s-mode (cilium/cilium#36632, @mhofstetter)
* chore(deps): Bump cilium/proxy to the latest (cilium/cilium#37635, @sayboras)
* chore(deps): update all github action dependencies (main) (cilium/cilium#36757, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#36946, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37070, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37112, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37196, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37304, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37408, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37500, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37815, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#37942, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#36756, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#37195, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#37661, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#37811, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36698, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36834, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36847, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36942, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#37406, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36706, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36855, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36883, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36943, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#37031, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#37199, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#37341, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#37660, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#37768, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#37810, @cilium-renovate[bot])
* chore(deps): update cilium/cilium-cli action to v0.16.23 (main) (cilium/cilium#37302, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.23 (main) (cilium/cilium#36893, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.24 (main) (cilium/cilium#37336, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.17.0 (main) (cilium/cilium#37786, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.18.0 (main) (cilium/cilium#37940, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.21 (main) (cilium/cilium#37213, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (main) (cilium/cilium#37407, @cilium-renovate[bot])
* chore(deps): update dependency go to v1.23.5 (main) (cilium/cilium#37303, @cilium-renovate[bot])
* chore(deps): update dependency go to v1.24.0 (main) (cilium/cilium#37569, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang docker tag to v1.24.0 (main) (cilium/cilium#37603, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.4 docker digest to 7ea4c9d (main) (cilium/cilium#36808, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.5 docker digest to 8c10f21 (main) (cilium/cilium#37178, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.24.0 docker digest to 3f74443 (main) (cilium/cilium#37938, @cilium-renovate[bot])
* chore(deps): update go to v1.23.5 (main) (cilium/cilium#37064, @cilium-renovate[bot])
* chore(deps): update go to v1.23.6 (main) (cilium/cilium#37495, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.63.4 (main) (cilium/cilium#36945, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.64.2 (main) (cilium/cilium#37570, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.64.5 (main) (cilium/cilium#37663, @cilium-renovate[bot])
* chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] (main) (cilium/cilium#37832, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.3-1737449866-585ba14700a2c729f024d9f0b2c694bc83a908a2 (main) (cilium/cilium#37111, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.3-1740976227-c3c35d52ca3b699de1f9448ab7174a9bdcb13f69 (main) (cilium/cilium#37939, @cilium-renovate[bot])
* ci/connectivity: Don't apply cnp to conn-disrupt pods in 1.15, 1.14 (cilium/cilium#36682, @jschwinger233)
* ci: run build steps as concurrent jobs in lint-build-commits (cilium/cilium#37754, @devodev)
* ci: update docs-builder (cilium/cilium#37615, @joestringer)
* Cilium CLI: Trim EKS cluster ARN to extract valid cluster name (cilium/cilium#36952, @jaehanbyun)
* cilium-builder: add buf (cilium/cilium#37534, @will-isovalent)
* cilium-cli/connectivity: ignore hubble-ui warning in no-errors-in-logs test (cilium/cilium#37563, @tklauser)
* cilium-cli/sysdump: drop obsolete CiliumEgressNATPolicy entry (cilium/cilium#37584, @giorio94)
* cilium-cli: do not print checkmarks for non-binary values (cilium/cilium#36890, @aanm)
* cilium-cli: enable websockets for k8s exec (cilium/cilium#37538, @asauber)
* cilium-cli: Ignore k8s client network error warning (cilium/cilium#37773, @jrajahalme)
* cilium-cli: Only use --curl-parallel when expecting success (cilium/cilium#37803, @jrajahalme)
* cilium-cli: re-fix GITHUB_WORKFLOW_REF parsing (cilium/cilium#37707, @kaworu)
* cilium-cli: skip some IPv6 connectivity tests for Cilium<1.14 when IPsec is enabled (cilium/cilium#36664, @jschwinger233)
* cilium-dbg: Use node name in shell prompt (cilium/cilium#37853, @joamaki)
* cilium: Allow to configure tunnel source port range (cilium/cilium#37777, @borkmann)
* cilium: Pull in vxlan netlink Go fix and uncomment assertion in test (cilium/cilium#37808, @borkmann)
* cilium: Remove deprecated lb-only mode for plain docker (cilium/cilium#37490, @borkmann)
* cilium: Unconditionally upsert neighbor entries (cilium/cilium#37352, @borkmann)
* cilium: various misc refactoring & improvements (cilium/cilium#37254, @borkmann)
* Clean up high scale ipcache leftovers (cilium/cilium#37308, @tklauser)
* cli: Added parameter to print used images (cilium/cilium#37390, @PhilipSchmid)
* cli: Ensure EGW tests trigger failures via actions (cilium/cilium#37649, @joestringer)
* cli: Support filtering --log-code-owners (cilium/cilium#37905, @joestringer)
* clustermesh: Consolidate hive (cilium/cilium#37620, @joestringer)
* CODEOWNERS: adjust ownership of the pkg/crypto subpackages (cilium/cilium#37204, @rolinh)
* CODEOWNERS: Assign EKS to ipsec as well (cilium/cilium#37719, @joestringer)
* CODEOWNERS: Datapath owns fragmentation docs (cilium/cilium#37770, @pchaigno)
* CODEOWNERS: IPsec ownership of key rotation GH action (cilium/cilium#37462, @pchaigno)
* CODEOWNERS: let @cilium/sig-lb own LRP connectivity tests (cilium/cilium#37193, @tklauser)
* CODEOWNERS: let sig-encryption own the bpftrace leak detection action (cilium/cilium#37866, @julianwiedmann)
* Configure the datapath using type-safe Go structs generated at compile time (cilium/cilium#36991, @ti-mo)
* connectivity: Add curl retry params for TLS inspection test (cilium/cilium#37424, @sayboras)
* connectivity: Add test for update TLS secret (cilium/cilium#36812, @sayboras)
* connectivity: Avoid hard-coded external target in warning log (cilium/cilium#37443, @sayboras)
* contrib: Reuse local build caches for builder.sh (cilium/cilium#37688, @joestringer)
* Create common cmdref package (cilium/cilium#36965, @HadrienPatte)
* create eks cluster without aws cni (cilium/cilium#35342, @aanm)
* ctmap: use `sync.OnceValue` to simplify `batchAPISupported` (cilium/cilium#36928, @tklauser)
* daemon,k8s: ServiceCache interface in preparation for adapter (cilium/cilium#37696, @joamaki)
* daemon/k8s: restore time.Now and TZ after TestScript (cilium/cilium#37299, @tklauser)
* daemon: Create NAT retries maps early on startup (cilium/cilium#37387, @pchaigno)
* daemon: remove deprecated no-op `--k8s-watcher-endpoint-selector` flag (cilium/cilium#37359, @tklauser)
* daemon: write CNI configuration with 0600 permissions (cilium/cilium#37589, @hhoover)
* datapath/sockets: Export various types in sockets library. (cilium/cilium#37313, @tommyp1ckles)
* datapath/sockets: Rework serialization and deserialization of netlink requests/responses (cilium/cilium#36930, @pippolo84)
* datapath: move probe for `bpf_skb_adjust_room` with `BPF_ADJ_ROOM_MAC` mode (cilium/cilium#37177, @tklauser)
* datapath: require FnGetSocketCookie (cilium/cilium#36768, @julianwiedmann)
* deps: update mcs-api dependency (cilium/cilium#37672, @MrFreezeex)
* Doc: Auto BGP router-id allocation for IPv6 (cilium/cilium#36736, @yushoyamaguchi)
* doc: Clarified CNP inter-NS handling (cilium/cilium#37484, @PhilipSchmid)
* doc: eks cluster restriction removed (cilium/cilium#37043, @viktor-kurchenko)
* doc: fix a typo in bpf.rst (cilium/cilium#37610, @ritwikranjan)
* docs: Add controller-runtime step in k8s upgrade (cilium/cilium#37415, @sayboras)
* docs: add documentation for operator managing identities (cilium/cilium#37320, @jshr-w)
* docs: add fragmentation docs (cilium/cilium#37730, @Jack-R-lantern)
* docs: add troubleshooting hubble deployment section (cilium/cilium#37596, @devodev)
* docs: Add Warning to Requires Policy Language (cilium/cilium#36644, @nathanjsweet)
* docs: Correct the release table format (cilium/cilium#37728, @sayboras)
* docs: document the `cilium.io/use-original-source-address` label for CECs (cilium/cilium#36806, @aetimmes)
* docs: Regenerate docs for cmdref (cilium/cilium#37444, @sayboras)
* docs: update CES documentation (cilium/cilium#37524, @marseel)
* Docs: update SIGs section (cilium/cilium#36969, @xmulligan)
* endpoint: Fix Lockdown Logic Duplication (cilium/cilium#37291, @nathanjsweet)
* Ensure the operator debug image always contains debug symbols. (cilium/cilium#37093, @EricMountain)
* envoy: Clean-up imported resources (cilium/cilium#37731, @sayboras)
* envoy: cleanup xds server initialization (cilium/cilium#37373, @mhofstetter)
* envoy: introduce slog logger for envoy package - part 1 (cilium/cilium#37735, @mhofstetter)
* envoy: Remove service/trace/v3 import (cilium/cilium#37771, @sayboras)
* examples: Fix the Mutual Authentication example to work with Apple M series (arm64) (cilium/cilium#37267, @alvaroaleman)
* experimental/lb: Add NodePort and HostPort addr refresher (cilium/cilium#37052, @brb)
* experimental: Add health server support (cilium/cilium#35820, @joamaki)
* experimental: Fix nodeport-addr.txtar (cilium/cilium#37238, @joamaki)
* experimental: Per service lb algorithm selection (cilium/cilium#36697, @DamianSawicki)
* experimental: Properly handle TCP/UDP differentiation (cilium/cilium#37164, @joamaki)
* experimental: ServiceCache/ServiceManager adapters, LocalRedirectPolicy support (cilium/cilium#37706, @joamaki)
* experimental: Test reliability improvements (cilium/cilium#37251, @joamaki)
* experimental: Update nodeport-addrs.txtar after merge race (cilium/cilium#37226, @joamaki)
* Fix ambiguous underspecified image definition for yq container. (cilium/cilium#37597, @rptaylor)
* Fix batched LRU flakes (cilium/cilium#37104, @tommyp1ckles)
* Fix command in policy-creation.rst (cilium/cilium#36880, @Javex)
* Fix darwin(macOS) contrib/scripts/builder.sh error (cilium/cilium#37760, @gyutaeb)
* Fix error handling in Azure IPAM causing to an infinite loop and a deadlock (cilium/cilium#37471, @HadrienPatte)
* Fix GetResources function in xds.Cache (cilium/cilium#36554, @kl52752)
* fix(deps): update all go dependencies main (main) (cilium/cilium#36720, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#36835, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#36863, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#36947, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#37066, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#37114, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#37240, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#36721, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#36944, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#37068, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#37410, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#37813, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#37941, @cilium-renovate[bot])
* fix(deps): update kubernetes packages to v0.32.1 (main) (cilium/cilium#37067, @cilium-renovate[bot])
* fix(deps): update kubernetes packages to v0.32.2 (main) (cilium/cilium#37664, @cilium-renovate[bot])
* fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.201.0 (main) (cilium/cilium#37242, @cilium-renovate[bot])
* fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/azidentity to v1.8.2 (main) (cilium/cilium#37814, @cilium-renovate[bot])
* fix(deps): update module golang.org/x/net to v0.33.0 [security] (main) (cilium/cilium#36709, @cilium-renovate[bot])
* fix(deps): update opentelemetry-go monorepo to v1.33.0 (main) (cilium/cilium#36608, @cilium-renovate[bot])
* fix(deps): update opentelemetry-go monorepo to v1.34.0 (main) (cilium/cilium#37069, @cilium-renovate[bot])
* fixes default-cert typo improves cert-manager installation for gateway-api (cilium/cilium#36845, @xinity)
* Fixing typos in fqdn and policy pkg (cilium/cilium#37060, @vipul-21)
* fqdn: avoid re-parsing DNS server address/port (cilium/cilium#37558, @tklauser)
* gateway-api: Add docs for GatewayClass parameters (cilium/cilium#37821, @sayboras)
* gateway-api: Refator and cleanup codebase (cilium/cilium#37413, @sayboras)
* go.mod, tools: use Go 1.24 tool dependencies (cilium/cilium#37903, @tklauser)
* golangci-lint: Update config as per latest schema (cilium/cilium#36833, @sayboras)
* gops: Add option to disable gops agent (cilium/cilium#36387, @l1b0k)
* GRPC contract between Standalone DNS Proxy (SDP) and Cilium Agent (cilium/cilium#36121, @tamilmani1989)
* helm: add identityManagementMode option to allow cilium-operator to manage identities. (cilium/cilium#36411, @wedaly)
* hubble: move exporter creation behind interface in dynamic exporter (cilium/cilium#37367, @devodev)
* hubble: separate static and dynamic exporter configurations (cilium/cilium#36974, @devodev)
* identity: make locally-scoped identities observable (cilium/cilium#37288, @bimmlerd)
* Improve cilium-dbg policy output from reserved:unknown to ANY (cilium/cilium#36780, @liyihuang)
* Improve k8s-cilium-exec.sh (cilium/cilium#36832, @simplyatul)
* Improve Makefile help: add debug image commands for agent and operator (cilium/cilium#36790, @liyihuang)
* ingress, gateway-api: Refactor CEC translation (cilium/cilium#36822, @sayboras)
* ip: remove unused IPsToNetPrefixes (cilium/cilium#37915, @tklauser)
* ipsec: Prepare XFRM rules for Encrypted Overlay with IPv6 (cilium/cilium#37331, @pchaigno)
* iptables: pass -n flag when listing iptables (cilium/cilium#37929, @harsimran-pabla)
* k8s/apis/cilium.io/v2: remove unused AnnotationsEquals methods (cilium/cilium#37020, @tklauser)
* k8s/client: Rework fake client commands (cilium/cilium#37588, @joamaki)
* k8s/resource: NewTableEventStream to adapt from Resource to Tables (cilium/cilium#37382, @joamaki)
* k8s: Convert from Resource[Pod] to Table[LocalPod] (cilium/cilium#36101, @joamaki)
* labels: fix TestNewFrom test (cilium/cilium#37846, @giorio94)
* loader: ensure logger invocations print log line (cilium/cilium#37581, @rgo3)
* MAINTAINERS: Add Marco (cilium/cilium#37717, @pchaigno)
* maps/ctmap: don't log if batch iteration is not supported (cilium/cilium#37125, @tklauser)
* metrics: Make sampling interval configurable (cilium/cilium#37094, @joamaki)
* Migrate from net to net/netip in pkg/aws/eni (cilium/cilium#37167, @HadrienPatte)
* modularise namemanager (cilium/cilium#37644, @bimmlerd)
* namemanager efficiency improvements (cilium/cilium#37774, @bimmlerd)
* operator: log error for invalid network policies (cilium/cilium#37356, @marseel)
* option: remove unused DaemonConfig.KVstoreKeepAliveInterval field (cilium/cilium#36719, @tklauser)
* Per-CPU policy stats (cilium/cilium#37591, @jrajahalme)
* pkg/allocator: migrate to slog (cilium/cilium#37892, @aanm)
* pkg/byteorder: add loong64 platform support (cilium/cilium#36753, @wszqkzqk)
* pkg/ciliumidentity: Fix TestUpdateUsedCIDIsReverted test (cilium/cilium#37006, @ovidiutirla)
* pkg/ciliumidentity: skip CID creation for unmanaged pods (cilium/cilium#36779, @jshr-w)
* pkg/maps/nat/stats: cleanup: remove unused nth index from nat-stats. (cilium/cilium#36676, @tommyp1ckles)
* pkg/{alibabacloud,aws,azure,ipam}: migrate to slog (cilium/cilium#37882, @aanm)
* Policy test cleanups: round 2 (cilium/cilium#37058, @squeed)
* Policy test: stop using SearchContext, use Lookup instead, part 1 (cilium/cilium#36964, @squeed)
* policy: clean up PolicyMap types a bit (cilium/cilium#37330, @squeed)
* policy: fix missing error in GetSelectorPolicy() (cilium/cilium#36637, @squeed)
* policy: make `--enable-well-known-identities` a cell flag (cilium/cilium#37174, @tklauser)
* policy: Move exported Lookup to EndpointPolicy (cilium/cilium#36725, @jrajahalme)
* policy: optimize mapstate rule labels (cilium/cilium#37024, @jrajahalme)
* policy: Remove unneeded error return in GetSelectorPolicy() (cilium/cilium#36704, @christarazi)
* policy: Return labels of contributing rules from mapState.Lookup (cilium/cilium#36599, @jrajahalme)
* Preparation to test IPv4 and IPv6 explicitly in connectivity tests (cilium/cilium#37468, @gentoo-root)
* Prepare for v1.18 development cycle (cilium/cilium#36624, @aanm)
* proxy: Fix data race in proxyports test (cilium/cilium#37890, @jrajahalme)
* proxy: introduce slog logger for proxy package (cilium/cilium#37684, @mhofstetter)
* proxy: Only set/update L7 rules for DNS proxy (cilium/cilium#36809, @jrajahalme)
* README: Update releases (cilium/cilium#36678, @jrajahalme)
* README: Update releases (cilium/cilium#36941, @joestringer)
* README: Update releases (cilium/cilium#37228, @thorn3r)
* README: Update releases (cilium/cilium#37258, @aanm)
* Reconcile node neighbor table entries after recovering from carrier down events (cilium/cilium#37310, @dylandreimerink)
* release: post release bumps (cilium/cilium#37720, @bimmlerd)
* Remove always-nil error returns (cilium/cilium#36910, @tklauser)
* Remove eBPF section from README (cilium/cilium#37171, @xmulligan)
* Remove external workloads related leftovers (cilium/cilium#37737, @giorio94)
* Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (cilium/cilium#37806, @rolinh)
* Remove unnecessary nil checks in pkg/azure/api (cilium/cilium#37769, @HadrienPatte)
* Remove usage of depreciated aws.EndpointResolver (cilium/cilium#37098, @HadrienPatte)
* renovate: adjust kernel version strings (cilium/cilium#37522, @julianwiedmann)
* renovate: Allow go 1.23 for stable branches 1.14+ (cilium/cilium#37172, @sayboras)
* renovate: Fix the typo in validator config file name (cilium/cilium#37039, @sayboras)
* renovate: fix typo in ipsec action (cilium/cilium#37521, @julianwiedmann)
* renovate: Run post upgrade tasks for protoc related files (cilium/cilium#36772, @sayboras)
* renovate: Update cilium-envoy for v1.17 (cilium/cilium#36715, @sayboras)
* Replace `logging.SlogNopHandler` by `slog.DiscardHandler` (cilium/cilium#37847, @tklauser)
* Replace `pkg/math` by Go `min`/`max` builtins (cilium/cilium#37194, @tklauser)
* Revert "cli: Use error def of github.com/cilium/ebpf" (cilium/cilium#37687, @joestringer)
* Revert "contrib: Run builder script as non-root by default" (cilium/cilium#37736, @jrajahalme)
* Rewrite AllowOverwrite with a list (cilium/cilium#36095, @DamianSawicki)
* Runtime image set as environment variable (cilium/cilium#36972, @Artyop)
* service: beautify the error message on failed socket termination (cilium/cilium#37041, @julianwiedmann)
* Set available addresses when Azure returns nil IP configs (cilium/cilium#36379, @hemanthmalla)
* slog: migrate wireguard to slog (cilium/cilium#37849, @aanm)
* test: Cleanup jenkins and Envoy related code (cilium/cilium#36877, @sayboras)
* test: Update negative test case for TLS SNI (cilium/cilium#37386, @sayboras)
* to-fqdn: shorten critical section when updating a name (cilium/cilium#37467, @squeed)
* Tracking only nodeIPs in WireGuard AllowedIPs with overlay routing, while preserve native routing behavior of tracking both node and pods IPs from IPCache events. (cilium/cilium#35895, @smagnani96)
* Unit tests for SNAT port allocation algorithm. (cilium/cilium#37145, @gentoo-root)
* Update connectivity tests to correctly detect TLS Interception (cilium/cilium#37796, @youngnick)
* Update Go version to 1.24 in go.mod and fix resulting issues (cilium/cilium#37852, @tklauser)
* Update isFqdn fn based on the source github.com/miekg/dns (cilium/cilium#37037, @vipul-21)
* Update Overview image (cilium/cilium#37556, @xmulligan)
* Update README with new releases (cilium/cilium#36695, @aanm)
* Update releases and stable with v1.17.0 (cilium/cilium#37395, @aanm)
* Update RTD theme commit hash to fix slack url (cilium/cilium#37237, @paularah)
* Update Upgrade doc for 1.18 (cilium/cilium#36993, @liyihuang)
* Update USERS.md entry for SeatGeek to include Service Mesh (cilium/cilium#36807, @aetimmes)
* Update USERS.md to include KA-NABELL (cilium/cilium#37654, @kahirokunn)
* Use SDK pointer functions (cilium/cilium#37523, @HadrienPatte)
* vendor: Bump hive&statedb (cilium/cilium#37697, @joamaki)
* wireguard: introduce v2 pod-to-pod connectivity tests (cilium/cilium#37533, @ldelossa)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.18.0-pre.0@sha256:88711d5016c6969e47e92e5f499ccd80e3df93ab52bdd7bc321c2b4a6a434a9e`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.18.0-pre.0@sha256:11a07963bd5bc478c4aa2ed56fef91bc5be37e1cb08bcecc98c5c898fcb7e2cd`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.18.0-pre.0@sha256:06a13a2188665977ed1ecc7e9de470ab65906cd944a127270ee73dd1942553ee`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.18.0-pre.0@sha256:6f3044ba5699b22e7b74262a4ccc645253da19b0014bd9bf64b972e0f373885c`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.18.0-pre.0@sha256:194b33fcaa14c900ee7cca150045ae62e37a30a58f5d4981de37d2ada7b2aa61`

### operator-aws

`quay.io/cilium/operator-aws:v1.18.0-pre.0@sha256:fdfefe5bbf0e68c5a1864c808110b43dbd9429f8fb43ce6246a4cf88c9914f77`

### operator-azure

`quay.io/cilium/operator-azure:v1.18.0-pre.0@sha256:1ed41de3f5ca8e8c682862ce8775d5dde6d7af3a0afe5cbd264558d34a256500`

### operator-generic

`quay.io/cilium/operator-generic:v1.18.0-pre.0@sha256:b1f1d0b3278efd8f9774d87d317f25a145fd165f22b19403bc6b92db750cea8a`

### operator

`quay.io/cilium/operator:v1.18.0-pre.0@sha256:f23d47ad5830bcd866cdc9d7bfefdb06548574a811002f03385d2b0f1ed3c40f`

Summary of Changes
------------------

**Minor Changes:**
* Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR cilium/cilium#37124, Upstream PR cilium/cilium#36598, @pippolo84)
* doc: Added hostLegacyRouting limitation for Talos (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36852, @PhilipSchmid)

**Bugfixes:**
* agent: defend against null pointer refs in cecManager.getEndpoint() (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37188, @aetimmes)
* Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37123, @julianwiedmann)
* ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR cilium/cilium#37417, Upstream PR cilium/cilium#37347, @gandro)
* envoy: add configurable access log buffer size (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36823, @aetimmes)
* Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36929, @julianwiedmann)
* Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37085, @giorio94)
* Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#37086, @giorio94)
* Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36103, @viktor-kurchenko)
* maps/nat/stats: Use Start context when waiting for maps (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37262, @tommyp1ckles)
* nodeinit: move kubelet restart inside if/else in startup.bash (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37282, @ayuspin)
* Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36504, @viktor-kurchenko)
* socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR cilium/cilium#37441, Upstream PR cilium/cilium#37426, @alvaroaleman)

**CI Changes:**
* [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (cilium/cilium#37380, @giorio94)
* gh: harmonize lvh kernel naming scheme (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37322, @julianwiedmann)
* gh: update removed --loglevel option for kind (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36935, @julianwiedmann)
* gha: bump ubuntu version in conformance-externalworkloads (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36859, @giorio94)
* gha: correctly downgrade to patch release in ipsec workflows (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36858, @giorio94)
* gha: fix retrieval of DNS server in conformance external workloads (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37361, @giorio94)
* gha: Retrieve eks supported version via aws cli (Backport PR cilium/cilium#37223, Upstream PR cilium/cilium#37210, @sayboras)
* Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36364, @smagnani96)
* Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36962, @smagnani96)
* test: Fix the flake for TestRestoredPort (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37106, @sayboras)
* test: Move demo-httpd from Docker to Quay (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37149, @joestringer)
* test: Move the dind image to Quay to avoid rate-limiting (Backport PR cilium/cilium#37441, Upstream PR cilium/cilium#37388, @pchaigno)

**Misc Changes:**
* build: Remove debug leftover from Makefile (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36917, @gentoo-root)
* chore(deps): update actions/setup-go action to v5.3.0 (v1.16) (cilium/cilium#37117, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#37244, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#37505, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#37343, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#37550, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.16) (cilium/cilium#37338, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.16) (cilium/cilium#37215, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.16) (cilium/cilium#37503, @cilium-renovate[bot])
* chore(deps): update go to v1.23.6 (v1.16) (cilium/cilium#37497, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.16) (cilium/cilium#37201, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.16) (patch) (cilium/cilium#37411, @cilium-renovate[bot])
* cilium-dbg/troubleshoot: do not import cilium-dbg from operator (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37326, @aanm)
* clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36602, @joestringer)
* doc(glossary): Geneve as final RFC (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37316, @alagoutte)
* doc: ebpf host-routing and netfilter (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36921, @PhilipSchmid)
* doc: eks cluster restriction removed (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37043, @viktor-kurchenko)
* doc: Removed nodeinit from aks byocni install (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#37048, @PhilipSchmid)
* docs: Add SNI policy example (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37234, @sayboras)
* docs: Clarify Identity-Relevant Labels description (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36924, @joestringer)
* docs: Fix broken link in BGP control plane docs (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#37241, @mikejoh)
* docs: pass current_version to html_context (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#37008, @ayuspin)
* docs: Remove stale limitation on KPR+IPsec (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#37054, @pchaigno)
* images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR cilium/cilium#37375, Upstream PR cilium/cilium#34488, @tklauser)
* proxy: Mark restored port as configured (Backport PR cilium/cilium#37168, Upstream PR cilium/cilium#36953, @jrajahalme)
* Remove outdated roadmap matrix and links to it (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#37170, @xmulligan)
* remove stable tags from image build (cilium/cilium#37394, @aanm)
* renovate: add fix grpc-go autodetection (Backport PR cilium/cilium#37278, Upstream PR cilium/cilium#33570, @aanm)

**Other Changes:**
* [v1.16] envoy: Bump envoy version to v1.31.x (cilium/cilium#37157, @sayboras)
* chore(deps): update go to v1.23.5 (v1.16) (cilium/cilium#37189, @sayboras)
* Do not leak ipcache entries when apiserver entities are cluster external (cilium/cilium#36927, @antonipp)
* install: Update image digests for v1.16.6 (cilium/cilium#37154, @cilium-release-bot[bot])
* Revert "chore(deps): update all-dependencies (v1.16)" (cilium/cilium#37525, @sayboras)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.7@sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.7@sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.7@sha256:d5c331e03a7c9f158e43eef46537a7656b668dcf76e7b8397520770a51747803`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.7@sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.7@sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.7@sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.7@sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.7@sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0`

### operator

`quay.io/cilium/operator:v1.16.7@sha256:bac2496ba4348267ca5f16c2dd73ba7be76330cdd0eef0a6958c260a3bf5951d`

Summary of Changes
------------------

**Bugfixes:**
* Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#37086, @giorio94)
* Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#36103, @viktor-kurchenko)
* Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#36504, @viktor-kurchenko)

**CI Changes:**
* [v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (Backport PR cilium/cilium#37646, Upstream PR cilium/cilium#37380, @giorio94)
* gh: harmonize lvh kernel naming scheme (Backport PR cilium/cilium#37376, Upstream PR cilium/cilium#37322, @julianwiedmann)
* gh: update removed --loglevel option for kind (Backport PR cilium/cilium#37173, Upstream PR cilium/cilium#36935, @julianwiedmann)
* gha: fix retrieval of DNS server in conformance external workloads (Backport PR cilium/cilium#37376, Upstream PR cilium/cilium#37361, @giorio94)
* gha: Retrieve eks supported version via aws cli (Backport PR cilium/cilium#37224, Upstream PR cilium/cilium#37210, @sayboras)
* Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR cilium/cilium#37173, Upstream PR cilium/cilium#36364, @smagnani96)
* Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR cilium/cilium#37173, Upstream PR cilium/cilium#36962, @smagnani96)
* test: Move demo-httpd from Docker to Quay (Backport PR cilium/cilium#37173, Upstream PR cilium/cilium#37149, @joestringer)
* test: Move the dind image to Quay to avoid rate-limiting (Backport PR cilium/cilium#37442, Upstream PR cilium/cilium#37388, @pchaigno)

**Misc Changes:**
* [v1.15] deps: bump grpc-go to v1.64.1 (cilium/cilium#37628, @ferozsalam)
* [v1.15] docs: Update requirements.txt dependencies (cilium/cilium#37619, @joestringer)
* chore(deps): update actions/setup-go action to v5.3.0 (v1.15) (cilium/cilium#37118, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#37101, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#37245, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#37508, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#37034, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#37344, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#37665, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.15) (cilium/cilium#37339, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.6 (v1.15) (cilium/cilium#37216, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.17.0 (v1.15) (cilium/cilium#37507, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.17.1 (v1.15) (cilium/cilium#37590, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.15) (cilium/cilium#37217, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.15) (cilium/cilium#37506, @cilium-renovate[bot])
* chore(deps): update dependency protocolbuffers/protobuf to v29 (v1.15) (cilium/cilium#37509, @cilium-renovate[bot])
* chore(deps): update go to v1.22.11 (v1.15) (cilium/cilium#37046, @cilium-renovate[bot])
* chore(deps): update go to v1.23.6 (v1.15) (cilium/cilium#37498, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/certgen docker tag to v0.1.17 (v1.15) (cilium/cilium#37100, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.15) (cilium/cilium#37202, @cilium-renovate[bot])
* doc(glossary): Geneve as final RFC (Backport PR cilium/cilium#37376, Upstream PR cilium/cilium#37316, @alagoutte)
* doc: eks cluster restriction removed (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#37043, @viktor-kurchenko)
* doc: Removed nodeinit from aks byocni install (Backport PR cilium/cilium#37173, Upstream PR cilium/cilium#37048, @PhilipSchmid)
* docs: Add SNI policy example (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#37234, @sayboras)
* docs: pass current_version to html_context (Backport PR cilium/cilium#37173, Upstream PR cilium/cilium#37008, @ayuspin)
* Fix API generation and add trusted dependencies to renovate config (Backport PR cilium/cilium#37646, Upstream PR cilium/cilium#36957, @aanm)
* images/builder: let renovate update protoc and proto plugins (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#32739, @rolinh)
* images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR cilium/cilium#37376, Upstream PR cilium/cilium#34488, @tklauser)
* Remove outdated roadmap matrix and links to it (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#37170, @xmulligan)
* renovate: add fix grpc-go autodetection (Backport PR cilium/cilium#37281, Upstream PR cilium/cilium#33570, @aanm)

**Other Changes:**
* [v1.15] envoy: Bump envoy version to v1.31.x (cilium/cilium#37161, @sayboras)
* [v1.15] gha: Retrieve eks supported version via aws cli (cilium/cilium#37230, @sayboras)
* chore(deps): update go to v1.23.5 (v1.15) (cilium/cilium#37197, @sayboras)
* Cilium avoids running out of space in policy maps by cleaning up entries in specific cases previously missed. (cilium/cilium#36884, @bimmlerd)
* gha: Fix feature test artifact upload (cilium/cilium#37205, @sayboras)
* install: Update image digests for v1.15.13 (cilium/cilium#37153, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.14@sha256:f9599990748b0065990154dce0fc0ebec6baef55fd2125c9b710e03f61c7f4e6`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.14@sha256:1821eaa3597c3ec24fbc5b50e3dfb48358bc15e9104c3e3422da474052821f5b`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.14@sha256:ba840a1c16a0989b74f1bc4057c5630be9a290c64d6cfc00664ef39142da88b4`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.14@sha256:e0445a89ca8e9089637c0914aa85f6f3305a80be3ddc68ad8bf4262e284654e7`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.14@sha256:4434a0b36f558f5bb30b997b1c73e8cd9bce8dcc3fb27b86f43860cbab4aa12d`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.14@sha256:642dd93c60dd8e161ab5c523a13b872cbfee80b092029ae62b55979ac5639231`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.14@sha256:f6537984cce9df702ea6bc7acc37ccdc19e7c50d88eb716fb217dc2ab65a7081`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.14@sha256:f4a23024a6eb3cba7f1f4b65c79bc9e1e675787d04a12253df22dbf623b76825`

### operator

`quay.io/cilium/operator:v1.15.14@sha256:ccdeb2b56005e565fd4bff895b80803a28029077bd27e1c4bbc05143dbc82925`

Summary of Changes
------------------

**Minor Changes:**
* [v1.17] agent: Deprecate lb-only mode (cilium/cilium#37391, @brb)
* helm: Update CiliumNodeConfig version (Backport PR cilium/cilium#37440, Upstream PR cilium/cilium#37403, @sayboras)

**Bugfixes:**
* ces: Fix bug where stale endpoint information was injected into IPCache (Backport PR cilium/cilium#37416, Upstream PR cilium/cilium#37347, @gandro)
* socket-lb: Fix null pointer dereference in socketlb/cgroup.go (Backport PR cilium/cilium#37440, Upstream PR cilium/cilium#37426, @alvaroaleman)

**CI Changes:**
* test: Move the dind image to Quay to avoid rate-limiting (Backport PR cilium/cilium#37440, Upstream PR cilium/cilium#37388, @pchaigno)

**Misc Changes:**
* chore(deps): update all github action dependencies (v1.17) (cilium/cilium#37502, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#37342, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.17) (cilium/cilium#37501, @cilium-renovate[bot])
* chore(deps): update go to v1.23.6 (v1.17) (cilium/cilium#37446, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.17) (patch) (cilium/cilium#37409, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.17) (patch) (cilium/cilium#37496, @cilium-renovate[bot])

**Other Changes:**
* install: Update image digests for v1.17.0 (cilium/cilium#37432, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.1@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866`
`quay.io/cilium/cilium:stable@sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.1@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.1@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71`
`quay.io/cilium/docker-plugin:stable@sha256:d4d838be1d8c20eaf1810f1be1ccc963e8229653357ec6cf8e8c1a53f3f03a71`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.1@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc`
`quay.io/cilium/hubble-relay:stable@sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.1@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c`
`quay.io/cilium/operator-alibabacloud:stable@sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.1@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6`
`quay.io/cilium/operator-aws:stable@sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.1@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b`
`quay.io/cilium/operator-azure:stable@sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.1@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97`
`quay.io/cilium/operator-generic:stable@sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97`

### operator

`quay.io/cilium/operator:v1.17.1@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89`
`quay.io/cilium/operator:stable@sha256:5c5f4408112365ae10ebcbab2621c273cebc671fe63b0f19cc1376326f140f89`

We are excited to announce the **Cilium** **1.17.0** release!

A total of 2761 new commits have been contributed to this release by a growing community of over 880 developers and over 20,800 GitHub stars! :star_struck:

To keep up to date with all the latest Cilium releases, see [Announcements](https://github.com/cilium/cilium/discussions/categories/announcements)

Here's what's new in v1.17.0:

:mountain_cableway: **Networking**

- :vertical_traffic_light: **Quality of Service:** Annotate your Pods for Guaranteed, Burstable or BestEffort egress network traffic priority (#36025, @hemanthmalla)
- :globe_with_meridians: **Multi-Cluster Service API:** Use Kubernetes MCS to manage global services in a Cilium Cluster Mesh (#34439, @MrFreezeex)
- :twisted_rightwards_arrows: **Load Balance based on L4 Protocol:** Differentiate TCP and UDP based protocols for load balancing, so multiple services on the same port can be directed to different backends (#33434, @jibi)
- :magnet: **Per-Service LB Algorithms:** Choose maglev or random load balancing algorithms for individual services (#35735, @kl52752)
- :no_entry: **Deny lists for Service source ranges:** Control whether Kubernetes loadBalancerSourceRanges are treated as an allow or deny list (#36120, @borkmann)
- :swimmer: **Better control over IPAM:** IPs can be allocated statically using AWS tags, and multi-pool can support single IP ranges for pools (#34622, @antonipp; #34618, @juliusmh)
- :electric_plug: **Dynamic MTU detection:** Cilium respects changes made to MTU made at runtime without requiring agent restart (#34314, @dylandreimerink)

:guardswoman: **Security**

- :rocket: **Improved network policy performance:** The cost of computing complex combinations of network policies has been reduced (Various PRs by @joamaki, @jrajahalme, @marseel, @nathanjsweet, @squeed and @youngnick)
- :card_index_dividers: **Prioritize critical network policies:** Cilium respects Kubernetes priorityNamespaces to prioritize endpoint propagation for critical namespaces when using CiliumEndpointSlices (#34199, @Kaczyniec)
- :clipboard: **Validate Network Policies:** Receive better feedback from Kubernetes when creating network policies (#34585, @squeed; #35904, @renyunkang; #36598, @pippolo84)
- :label: **Select CIDRGroups by Label:** Add labels to CIDRGroups and use these for network policy selection (#36087, @squeed)
- :bellhop_bell: **Extend ToServices for in-cluster services:** Services with a selector can be selected with ToServices network policies statements (#34208, @chaunceyjiang)
- :construction: **FQDN Filtering for hostNetwork:** Use CiliumClusterwideNetworkPolicy to configure Layer 7 filtering for DNS requests on nodes in the cluster (#34024, @atykhyy)
- :signal_strength: **HTTP policies on port ranges:** Redirect multiple ports in a single policy towards Envoy for Layer 7 filtering of HTTP traffic (#36056, @jrajahalme)

:spider_web: **Service Mesh & Gateway API**

- :shinto_shrine: **Gateway API 1.2.1:** Add support for the latest Gateway API v1.2.1 release, including HTTP retries and mirror fractions (#34720, @sayboras)
- :memo: **Static Gateway Addressing:** Cilium now supports statically specifying addresses for gateways (#33042, @chaunceyjiang)
- :closed_lock_with_key: **Improved Envoy TLS handling:** Use SDS for managing TLS visibility secrets in Envoy, improving policy calculation speed and secrets access (#35513, @youngnick)


:artificial_satellite: **Observability**

- :mag: **Dynamic Hubble Metrics:** Configure Hubble metrics with a new hubble-metrics-config ConfigMap to tune your network observability (#35185, @rectified95)
- :railway_track: **Track enabled features using Prometheus:** The cilium-agent and cilium-operator components expose Prometheus metrics for which features are enabled. (#35852, @aanm)
- :bar_chart: **Many new metrics:** Improved metrics related to BGP, network connections, network policy, pod management, and Cilium component status (Various PRs by @AwesomePatrol, @harsimran-pabla, @joestringer, @jshr-w, @mikejoh, @nimishamehta5, @odinuge, @ovidiutirla, @rectified95 and @sjdot)


:sunrise:  **Scale**

- :chart_with_upwards_trend: **Better cluster connectivity checking:** The cilium-health component for cluster-wide network connectivity health detection is better tuned for reliable health checking at high scale (#35163, @jshr-w)
- :hourglass_flowing_sand: **Rate-limit monitor events:** Balance the number of eBPF events against the CPU usage required to process them (#29711, @siwiutki)
- :busts_in_silhouette: **Double-Write Identity mode:** New allocation mode for Security Identities to ease migration between CRD and KVStore identity backends (#31920, @antonipp)
- :balance_scale: **Better scale testing:** This release benefits from regular automated scale testing for network policy (#35278, @marseel)


:houses: **Community**

- :heart: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback!
  - [Seznam](https://www.cncf.io/case-studies/seznam/), [Alibaba Cloud](https://www.cncf.io/case-studies/alibaba/), [SysEleven](https://www.cncf.io/case-studies/syseleven/), [QingCloud](https://www.cncf.io/case-studies/qingcloud/), [ECCO](https://www.youtube.com/watch?v=Ennjmo9TFaM), [Reddit](https://www.youtube.com/watch?v=YNDp7Id7Bbs), [Confluent](https://www.youtube.com/watch?v=vOSiVeBXYpM), [SamsungAds](https://www.youtube.com/watch?v=2KlVTx611bk), and [Sony](https://www.youtube.com/watch?v=M0PincxlHpI)
- The [Cilium Annual Report 2024](https://github.com/cilium/cilium.io/blob/main/Annual-Reports/Cilium_Annual_Report_2024.pdf) was released covering all the highlights from across the community and marking the “Year of Kubernetes Networking”
- The community gathered at [Cilium + eBPF Day](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/co-located-events/cilium-ebpf-day/) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2024-NA) in Salt Lake City
- Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and the [Cilium Developer Summit](https://docs.google.com/forms/d/e/1FAIpQLSd8E1dtCYiwqcw1MemQU3RDKlIQNBi2dRVMVGqDPgSow9mKjA/viewform?usp=header) in London

And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. :heart: :heart: :heart:

For the full changelog check https://github.com/cilium/cilium/blob/v1.17.0/CHANGELOG.md

## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d`
`quay.io/cilium/cilium:stable@sha256:51f21bdd003c3975b5aaaf41bd21aee23cc08f44efaa27effc91c621bc9d8b1d`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:05ccf79102724a943b967337a7cd45177118b76b72fb937d0c8ecb3ce136605c`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f`
`quay.io/cilium/docker-plugin:stable@sha256:cf2a7b6779e1264c35d77a799aab25ee9bb67582764b297edf6ad62fa02a3c6f`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05`
`quay.io/cilium/hubble-relay:stable@sha256:022c084588caad91108ac73e04340709926ea7fe12af95f57fcb794b68472e05`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b`
`quay.io/cilium/operator-alibabacloud:stable@sha256:0154a855650dac844347d35404e08f3ad141c05e1d903a648558e6f15e4fef8b`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7`
`quay.io/cilium/operator-aws:stable@sha256:a81cea10c4210589750c2588a20ece2822fd57be8529df4dc7779031cec66af7`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7`
`quay.io/cilium/operator-azure:stable@sha256:56e83fbdfbea161b2252c51c7ce03960f7141700473bbd2906bcdb53f46610d7`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8`
`quay.io/cilium/operator-generic:stable@sha256:1ce5a5a287166fc70b6a5ced3990aaa442496242d1d4930b5a3125e44cccdca8`

### operator

`quay.io/cilium/operator:v1.17.0@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587`
`quay.io/cilium/operator:stable@sha256:39c9221d75f47f717fe438912309a96b59b8257a74dc624fdeebebcfbd74b587`

Summary of Changes
------------------

**Major Changes:**
* The Helm setting tls.secretsBackend is deprecated and should be replaced with the use of the tls.readSecretsOnlyFromSecretsNamespace setting instead. tls.secretsBackend will be removed in a future Cilium version. (Backport PR cilium/cilium#37232, Upstream PR cilium/cilium#37076, @youngnick)

**Minor Changes:**
* Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36598, @pippolo84)
* bpf: Address backend selection under session affinity with Maglev (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37005, @borkmann)
* clustermesh: add dualstack support for MCS-API and fix a spec compliance issue with headless services (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37053, @MrFreezeex)
* doc: Added hostLegacyRouting limitation for Talos (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36852, @PhilipSchmid)
* Improves Network Policy validation and default deny behavior. Policies now require at least one of Ingress, IngressDeny, Egress, or EgressDeny to be defined. (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#35904, @renyunkang)
* ingress: Remove multiple network device limitation (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36769, @sayboras)
* k8s: Bump k8s/kubectl to v0.32.0 (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36827, @sayboras)

**Bugfixes:**
* Allow cilium agent to start on linux kernels that don't have CONFIG_XFRM. (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37123, @julianwiedmann)
* clustermesh:  fix MCS-API service export cache not properly deleted (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36892, @MrFreezeex)
* clustermesh: add support for targetPort in MCS-API (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36875, @MrFreezeex)
* envoy: add configurable access log buffer size (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36823, @aetimmes)
* Fix a bug that prevents a pod from accessing Nodeport services when the pod is also in scope of a broad-range Egress Gateway policy. (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36929, @julianwiedmann)
* Fix bug causing the endpoint regeneration failure handler to be effective only once (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37085, @giorio94)
* Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37086, @giorio94)
* Fix configuration of proxy-max-concurrent-retries (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37061, @joestringer)
* Fix memory leak caused by service events when when CNPs/CCNPs are disabled (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36727, @giorio94)
* fix: Hubble metrics not deleted for deleted pods (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36819, @rectified95)
* hubble: fix metrics configuration parsing (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36371, @kaworu)
* operator: don't reconcile non-GAMMA xRoutes without a Cilium-managed Gateway (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#35718, @aetimmes)

**CI Changes:**
* .github: Set --interactive=false for cilium status (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37151, @joestringer)
* ci-e2e-upgrade: Cover wireguard + geneve tunnel (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37163, @jschwinger233)
* ci: add leak detection to conformance-ipsec-upgrade (Backport PR cilium/cilium#37169, Upstream PR cilium/cilium#36377, @smagnani96)
* ci: more robust hubble relay service port-forwarding (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37110, @rolinh)
* gh: e2e-upgrade: use DSR-Geneve in config 15 (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36982, @julianwiedmann)
* gh: update removed --loglevel option for kind (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36935, @julianwiedmann)
* gha: Bump k8s version to v1.32.0 (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36905, @sayboras)
* gha: bump ubuntu version in conformance-externalworkloads (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36859, @giorio94)
* gha: correctly downgrade to patch release in ipsec workflows (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36858, @giorio94)
* gha: Retrieve eks supported version via aws cli (Backport PR cilium/cilium#37222, Upstream PR cilium/cilium#37210, @sayboras)
* integration: Bump ubuntu to 24.04 for arm runners (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37042, @sayboras)
* Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36364, @smagnani96)
* Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#36962, @smagnani96)
* test: Fix the flake for TestRestoredPort (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37106, @sayboras)
* test: Move demo-httpd from Docker to Quay (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37149, @joestringer)

**Misc Changes:**
* .github/build-images-ci: re-enable floating tags for stable branches (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36913, @aanm)
* [v1.17] deps: bump x/crypto to v0.31 and x/net to v0.33 (cilium/cilium#36958, @ferozsalam)
* Add GOARCH to go install dlv command (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36853, @gyutaeb)
* build: Remove debug leftover from Makefile (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36917, @gentoo-root)
* chore(deps): update actions/setup-go action to v5.3.0 (v1.17) (cilium/cilium#37116, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.17) (cilium/cilium#36948, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.17) (cilium/cilium#37073, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#36916, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#37032, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#37115, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#37150, @cilium-renovate[bot])
* chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.17) (cilium/cilium#37214, @cilium-renovate[bot])
* chore(deps): update docker.io/alpine/socat docker tag to v1.8.0.1 (v1.17) (cilium/cilium#37071, @cilium-renovate[bot])
* chore(deps): update go (v1.17) (cilium/cilium#37179, @cilium-renovate[bot])
* chore(deps): update go to v1.23.5 (v1.17) (cilium/cilium#37044, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737074032-41faf0e6060077f7cccb8bb34a08eff4afde2ccd (v1.17) (cilium/cilium#37040, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.17) (cilium/cilium#37200, @cilium-renovate[bot])
* cilium: minor hostport fixes (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36856, @borkmann)
* cli: Fix empty egress bandwidth and priority config display (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37109, @l1b0k)
* clustermesh: Add hidden flag --allow-unsafe-policy-skb-usage (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36602, @joestringer)
* clustermesh: update coredns version in mcs-api docs (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36899, @MrFreezeex)
* doc: ebpf host-routing and netfilter (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36921, @PhilipSchmid)
* doc: Removed nodeinit from aks byocni install (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37048, @PhilipSchmid)
* Docs: CiliumCIDRGroup updates & cleanups (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37059, @squeed)
* docs: Clarify Identity-Relevant Labels description (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36924, @joestringer)
* docs: pass current_version to html_context (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37008, @ayuspin)
* docs: remove some stale requirements (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36861, @julianwiedmann)
* docs: Remove stale limitation on KPR+IPsec (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37054, @pchaigno)
* docs: tuning: add config snippet for BPF Host Routing (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36878, @julianwiedmann)
* docs: Update L7 Port Range Information (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36966, @nathanjsweet)
* Endpoint policy before restoration (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36433, @jrajahalme)
* Fix `make -C Documentation update-cmdref` when make uses `--jobserver-style=fifo`. (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36788, @gentoo-root)
* localnodeconfig: dedup cluster routing mode (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36932, @julianwiedmann)
* make: Don't hide install errors (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36980, @joestringer)
* metrics: Use new style script flags (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37088, @joamaki)
* policy: Deprecating the `toRequires` and `fromRequires` fields in network policies. (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36649, @nathanjsweet)
* policy: reduce allocs by avoiding use of interface types, retire MapStateOwners (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36798, @jrajahalme)
* proxy: Mark restored port as configured (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#36953, @jrajahalme)
* Remove outdated roadmap matrix and links to it (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37170, @xmulligan)
* watchers: demote "CEP deleted" log message to debug level (Backport PR cilium/cilium#37126, Upstream PR cilium/cilium#37081, @giorio94)
* wireguard: attach Ingress program for native routing mode configurations (Backport PR cilium/cilium#37247, Upstream PR cilium/cilium#37108, @julianwiedmann)

**Other Changes:**
* install: Update image digests for v1.17.0-rc.1 (cilium/cilium#36938, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0-rc.2@sha256:a0d21e7191f7635c05f5aeb977c19369adafe50365eca65cfe364615a6cb8fc6`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0-rc.2@sha256:77e5bf1a8048e7f21704168af3763e9d399170371c6b6ae762676b75b60c1add`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0-rc.2@sha256:3e00442c12837297aab287bb99dbb3c30d795dc638c9d051307cbd4a017e70ad`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0-rc.2@sha256:409333bf0a3224ce6e26073a5a46156b5b15357818582f32c5be4d7d7608033b`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0-rc.2@sha256:a6b678e3e20954ee623dff5a49a27a40e17ba73b66ee364eb659c762658c20c8`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0-rc.2@sha256:3c5576e5a5bbedeede90ce684f9c3d99c9a675319a2c13c935f1b8245c1d3413`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0-rc.2@sha256:edee761954fbc5b1411aa7a270ee15e56074d462109b507aff1684d467d82742`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0-rc.2@sha256:13fcd5cbe871342bcbdc42dea9d72250c8e38cdd538ce049c5506a81f8f43b72`

### operator

`quay.io/cilium/operator:v1.17.0-rc.2@sha256:af7ef3aa16b39110a3f9e424a90f9b334ed31ebaf4235895fdf0392239b7cb51`

Summary of Changes
------------------

**Major Changes:**
* Add feature tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#35852, @aanm)
* Add feature tracking in Cilium Operator as prometheus metrics (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36077, @aanm)

**Minor Changes:**
* envoy: Use yaml format for bootstrap config (Backport PR cilium/cilium#36782, Upstream PR cilium/cilium#36820, @sayboras)
* Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (cilium/cilium#36561, @pippolo84)
* service: Cap number of backends included in monitor message (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36394, @joamaki)

**Bugfixes:**
* cilium: LB source ranges fixes (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36517, @borkmann)
* eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#36617, @sderoe)
* envoy: Configure internal address config based on IP family (Backport PR cilium/cilium#36782, Upstream PR cilium/cilium#36733, @sayboras)
* Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36176, @tamilmani1989)
* metrics/features: remove reporting metrics' defaults by default (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36298, @aanm)
* pkg/redirectpolicy: Fix backend slices in processConfig (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#35496, @Sm0ckingBird)
* ui: drop CORS headers from api response (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#35762, @geakstr)

**CI Changes:**
* [v1.16] .github: Remove CI Fuzz workflow (cilium/cilium#36641, @joestringer)
* [v1.16] gh: e2e-upgrade: use 6.12 kernel for netkit test configs (cilium/cilium#36620, @julianwiedmann)
* [v1.16] gha: use /test to trigger tests in stable branches (cilium/cilium#36673, @giorio94)
* ci: fix job names for various ci workflows (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36397, @marseel)
* Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#33398, @giorio94)
* gh: e2e-upgrade: add coverage for 6.6 kernel (Backport PR cilium/cilium#36988, Upstream PR cilium/cilium#36626, @julianwiedmann)
* gh: e2e-upgrade: de-renovate the config example (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36463, @julianwiedmann)
* gha: drop leftover token parameter in net-perf-gke workflow (cilium/cilium#36684, @giorio94)
* gha: fix merging of features-related artifacts (cilium/cilium#36665, @giorio94)
* gha: merge artifacts in net-perf-gke workflow (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36236, @giorio94)
* gha: Use ubuntu-24.04 for integration-test (Backport PR cilium/cilium#36659, Upstream PR cilium/cilium#36628, @sayboras)

**Misc Changes:**
* .github/workflows: always install cilium-cli (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36234, @aanm)
* .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36461, @aanm)
* .github: fix conformance-k8s NP test (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36355, @aanm)
* [v1.16] Use bash syntax to consume env variable (cilium/cilium#36636, @ferozsalam)
* Add more features tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36078, @aanm)
* Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36203, @aanm)
* Add the tls:// prefix in the Hubble TLS doc (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36410, @liyihuang)
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#36612, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#36762, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#36950, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#37099, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (patch) (cilium/cilium#36760, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#36707, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#36787, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#36949, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#37033, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.16) (cilium/cilium#36895, @cilium-renovate[bot])
* chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 7c3c3ce (v1.16) (cilium/cilium#36609, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.16) (cilium/cilium#36850, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.10 docker digest to 9855006 (v1.16) (cilium/cilium#36610, @cilium-renovate[bot])
* chore(deps): update go to v1.22.11 (v1.16) (cilium/cilium#37045, @cilium-renovate[bot])
* chore(deps): update helm/kind-action action to v1.12.0 (v1.16) (cilium/cilium#36839, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.16) (patch) (cilium/cilium#36611, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.16) (patch) (cilium/cilium#36699, @cilium-renovate[bot])
* doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#36701, @alagoutte)
* docs: Add missing default identity label in the description of identity-relevant labels' example (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36558, @liyihuang)
* docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36549, @verysonglaa)
* Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (Backport PR cilium/cilium#36635, Upstream PR cilium/cilium#36417, @EricMountain)
* Fix `make -C Documentation update-cmdref` when make uses `--jobserver-style=fifo`. (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#36788, @gentoo-root)
* fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.16) (cilium/cilium#36711, @cilium-renovate[bot])
* ingress, gateway-api: Convert test fixtures to file based (Backport PR cilium/cilium#36782, Upstream PR cilium/cilium#36732, @sayboras)
* metrics/features: enable ClusterMesh (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36402, @aanm)
* metrics/features: refactor metric names (Backport PR cilium/cilium#36263, Upstream PR cilium/cilium#36209, @aanm)
* Prepare for release v1.16.6 (cilium/cilium#36989, @cilium-release-bot[bot])
* Remove reference to DNS polling (Backport PR cilium/cilium#36872, Upstream PR cilium/cilium#36679, @JacobHenner)

**Other Changes:**
* [v1.16] author backport: helm: avoid setting bpf-lb-sock-terminate-pod-connections (cilium/cilium#36650, @ysksuzuki)
* install: Update image digests for v1.16.5 (cilium/cilium#36671, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da`
`quay.io/cilium/cilium:stable@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.6@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.6@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66`
`quay.io/cilium/docker-plugin:stable@sha256:f8f5833a60900b0264fd8982b11329e130c1a326afe2e4653e9f2d2e3fb2af66`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b`
`quay.io/cilium/hubble-relay:stable@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.6@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9`
`quay.io/cilium/operator-alibabacloud:stable@sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.6@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d`
`quay.io/cilium/operator-aws:stable@sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.6@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd`
`quay.io/cilium/operator-azure:stable@sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc`
`quay.io/cilium/operator-generic:stable@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc`

### operator

`quay.io/cilium/operator:v1.16.6@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46`
`quay.io/cilium/operator:stable@sha256:09ab2878e103fa32a00fd1fe4469f7042cfb053627b44c82fa03a04a820c0b46`

Summary of Changes
------------------

**Major Changes:**
* Add feature tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#35852, @aanm)
* Add feature tracking in Cilium Operator as prometheus metrics (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36077, @aanm)

**Minor Changes:**
* envoy: Use yaml format for bootstrap config (Backport PR cilium/cilium#36864, Upstream PR cilium/cilium#36820, @sayboras)
* Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (cilium/cilium#36560, @pippolo84)

**Bugfixes:**
* envoy: Configure internal address config based on IP family (Backport PR cilium/cilium#36864, Upstream PR cilium/cilium#36733, @sayboras)
* metrics/features: remove reporting metrics' defaults by default (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36298, @aanm)
* ui: drop CORS headers from api response (Backport PR cilium/cilium#36871, Upstream PR cilium/cilium#35762, @geakstr)

**CI Changes:**
* [v1.15] .github: Remove CI Fuzz workflow (cilium/cilium#36642, @joestringer)
* [v1.15] gha: bump ubuntu version in conformance-externalworkloads (cilium/cilium#36857, @giorio94)
* [v1.15] gha: use /test to trigger tests in stable branches (cilium/cilium#36674, @giorio94)
* [v1.15] Unblock verifier test LVH image updates (cilium/cilium#36689, @tklauser)
* ci: fix job names for various ci workflows (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36397, @marseel)
* Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR cilium/cilium#36783, Upstream PR cilium/cilium#33398, @giorio94)
* gh: e2e-upgrade: de-renovate the config example (Backport PR cilium/cilium#36638, Upstream PR cilium/cilium#36463, @julianwiedmann)
* gha: correctly downgrade to patch release in ipsec workflows (Backport PR cilium/cilium#36985, Upstream PR cilium/cilium#36858, @giorio94)
* gha: merge artifacts in net-perf-gke workflow (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36236, @giorio94)
* gha: Use ubuntu-24.04 for integration-test (Backport PR cilium/cilium#36660, Upstream PR cilium/cilium#36628, @sayboras)
* Use Clang from cilium-builder image to build BPF code in CI (Backport PR cilium/cilium#36871, Upstream PR cilium/cilium#31754, @gentoo-root)

**Misc Changes:**
* .github/workflows: always install cilium-cli (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36234, @aanm)
* .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36461, @aanm)
* .github: fix conformance-k8s NP test (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36355, @aanm)
* [v1.15] Use bash syntax to consume env variable (cilium/cilium#36634, @ferozsalam)
* Add more features tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36078, @aanm)
* Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36203, @aanm)
* build: Remove debug leftover from Makefile (Backport PR cilium/cilium#36985, Upstream PR cilium/cilium#36917, @gentoo-root)
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#36616, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#36951, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (patch) (cilium/cilium#36445, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#36613, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#36903, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.15) (cilium/cilium#36891, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.5 (v1.15) (cilium/cilium#36764, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.15) (cilium/cilium#36614, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.15) (patch) (cilium/cilium#36765, @cilium-renovate[bot])
* docs: Clarify Identity-Relevant Labels description (Backport PR cilium/cilium#36985, Upstream PR cilium/cilium#36924, @joestringer)
* docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR cilium/cilium#36638, Upstream PR cilium/cilium#36549, @verysonglaa)
* Fix `make -C Documentation update-cmdref` when make uses `--jobserver-style=fifo`. (Backport PR cilium/cilium#36871, Upstream PR cilium/cilium#36788, @gentoo-root)
* fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.15) (cilium/cilium#36712, @cilium-renovate[bot])
* ingress, gateway-api: Convert test fixtures to file based (Backport PR cilium/cilium#36783, Upstream PR cilium/cilium#36732, @sayboras)
* metrics/features: enable ClusterMesh (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36402, @aanm)
* metrics/features: refactor metric names (Backport PR cilium/cilium#36483, Upstream PR cilium/cilium#36209, @aanm)
* Remove reference to DNS polling (Backport PR cilium/cilium#36783, Upstream PR cilium/cilium#36679, @JacobHenner)

**Other Changes:**
* [v1.15] envoy: Demote expected initial fetch timeout warning to info level (cilium/cilium#37014, @sayboras)
* install: Update image digests for v1.15.12 (cilium/cilium#36655, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.13@sha256:61d27c5adda269e4d4dffbc3fa619590c2c601bb23e62255d14515c8d6aed9a6`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.13@sha256:e5c925b5109ae93a5eca521acc2a225c1a2ea516a6502ff2a51d1a724b68681d`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.13@sha256:5b242fab9f4a6b6ed3eff3729c8b4974bf997c0446f72a155d8ae593d864c4bc`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.13@sha256:68456e4b0dd3181000af51d89c0664c8b08e8c55d0d8d9ff949efea2a84bdf11`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.13@sha256:360c5d0a26498606fece10cc67fdac859f963934611d17ab0bb3c5fa30b4223e`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.13@sha256:cca2e5133c4f257cef10f0ad63d0ed5632b7ad556e311b1ae39574eb351b7fe3`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.13@sha256:9c2f0898a19887c8f043f4742b40ac9b3496934f2c90442b42abf8bb47c26ed8`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.13@sha256:7ee922f169575ae201cb39c89973f931ce2306df792b8850ab9e3591b9d704a8`

### operator

`quay.io/cilium/operator:v1.15.13@sha256:9ef72a85e70d87397cf1e5cd1daffdb972960783bfe6cb6d5e6546fc908f2f2e`

Summary of Changes
------------------

**Major Changes:**
* Add feature tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#35852, @aanm)
* Add feature tracking in Cilium Operator as prometheus metrics (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36077, @aanm)

**Minor Changes:**
* envoy: Use yaml format for bootstrap config (Backport PR cilium/cilium#36876, Upstream PR cilium/cilium#36820, @sayboras)
* Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs (cilium/cilium#36559, @pippolo84)

**Bugfixes:**
* envoy: Configure internal address config based on IP family (Backport PR cilium/cilium#36876, Upstream PR cilium/cilium#36733, @sayboras)
* metrics/features: remove reporting metrics' defaults by default (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36298, @aanm)
* ui: drop CORS headers from api response (Backport PR cilium/cilium#36870, Upstream PR cilium/cilium#35762, @geakstr)

**CI Changes:**
* [v1.14] .github: Remove CI Fuzz workflow (cilium/cilium#36643, @joestringer)
* [v1.14] gha: use /test to trigger tests in stable branches (cilium/cilium#36675, @giorio94)
* [v1.14] Unblock verifier test LVH image updates (cilium/cilium#36688, @tklauser)
* ci: fix job names for various ci workflows (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36397, @marseel)
* Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR cilium/cilium#36870, Upstream PR cilium/cilium#33398, @giorio94)
* gha: bump ubuntu version in conformance-externalworkloads (Backport PR cilium/cilium#36984, Upstream PR cilium/cilium#36859, @giorio94)
* gha: correctly downgrade to patch release in ipsec workflows (Backport PR cilium/cilium#36984, Upstream PR cilium/cilium#36858, @giorio94)
* gha: merge artifacts in net-perf-gke workflow (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36236, @giorio94)
* gha: Use ubuntu-24.04 for integration-test (Backport PR cilium/cilium#36661, Upstream PR cilium/cilium#36628, @sayboras)
* Use Clang from cilium-builder image to build BPF code in CI (Backport PR cilium/cilium#36870, Upstream PR cilium/cilium#31754, @gentoo-root)

**Misc Changes:**
* .github/workflows: always install cilium-cli (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36234, @aanm)
* .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36461, @aanm)
* .github: fix conformance-k8s NP test (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36355, @aanm)
* [v1.14] Use bash syntax to consume env variable (cilium/cilium#36633, @ferozsalam)
* Add more features tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36078, @aanm)
* Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36203, @aanm)
* build: Remove debug leftover from Makefile (Backport PR cilium/cilium#36984, Upstream PR cilium/cilium#36917, @gentoo-root)
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#36909, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.14) (cilium/cilium#36904, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.14) (cilium/cilium#36896, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.5 (v1.14) (cilium/cilium#36840, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.10 docker digest to 1a6e657 (v1.14) (cilium/cilium#36907, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.9-1734560096-c1e57e20d9a5f4e462163e5354f787bfa0d2b50f (v1.14) (cilium/cilium#36708, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.14) (patch) (cilium/cilium#36908, @cilium-renovate[bot])
* docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR cilium/cilium#36639, Upstream PR cilium/cilium#36549, @verysonglaa)
* Fix `make -C Documentation update-cmdref` when make uses `--jobserver-style=fifo`. (Backport PR cilium/cilium#36870, Upstream PR cilium/cilium#36788, @gentoo-root)
* fix(deps): update module golang.org/x/net to v0.33.0 [security] (v1.14) (cilium/cilium#36713, @cilium-renovate[bot])
* ingress, gateway-api: Convert test fixtures to file based (Backport PR cilium/cilium#36784, Upstream PR cilium/cilium#36732, @sayboras)
* metrics/features: enable ClusterMesh (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36402, @aanm)
* metrics/features: refactor metric names (Backport PR cilium/cilium#36519, Upstream PR cilium/cilium#36209, @aanm)
* Remove reference to DNS polling (Backport PR cilium/cilium#36870, Upstream PR cilium/cilium#36679, @JacobHenner)

**Other Changes:**
* install: Update image digests for v1.14.18 (cilium/cilium#36654, @cilium-release-bot[bot])
* Speed up datapath compilation by up to 50% (cilium/cilium#36670, @ti-mo)


## Docker Manifests

### cilium

`docker.io/cilium/cilium:v1.14.19@sha256:dfee0589d6dbb64fccde38588e5ee963a8578cfa029539cbabae4e15589b9c3b`
`quay.io/cilium/cilium:v1.14.19@sha256:dfee0589d6dbb64fccde38588e5ee963a8578cfa029539cbabae4e15589b9c3b`

### clustermesh-apiserver

`docker.io/cilium/clustermesh-apiserver:v1.14.19@sha256:fecccb6f1c8b27637ea950bf7ce40bd6bb597f0cd35f9f9322049d5a3f29578b`
`quay.io/cilium/clustermesh-apiserver:v1.14.19@sha256:fecccb6f1c8b27637ea950bf7ce40bd6bb597f0cd35f9f9322049d5a3f29578b`

### docker-plugin

`docker.io/cilium/docker-plugin:v1.14.19@sha256:ab5500874aade9f8d295d2d55576929f0bd0dfb206ed1d498ecf4cc99d4f2ede`
`quay.io/cilium/docker-plugin:v1.14.19@sha256:ab5500874aade9f8d295d2d55576929f0bd0dfb206ed1d498ecf4cc99d4f2ede`

### hubble-relay

`docker.io/cilium/hubble-relay:v1.14.19@sha256:64599363dc856b93a2f7586dce587a9af0a60b6a4c6fa7b8d89543b354832c0e`
`quay.io/cilium/hubble-relay:v1.14.19@sha256:64599363dc856b93a2f7586dce587a9af0a60b6a4c6fa7b8d89543b354832c0e`

### kvstoremesh

`docker.io/cilium/kvstoremesh:v1.14.19@sha256:815188117840f69a3d1eb1fce7bbac539cc5e0292c1c4b39b89a31c22d601d89`
`quay.io/cilium/kvstoremesh:v1.14.19@sha256:815188117840f69a3d1eb1fce7bbac539cc5e0292c1c4b39b89a31c22d601d89`

### operator-alibabacloud

`docker.io/cilium/operator-alibabacloud:v1.14.19@sha256:98398bbaa93c93d07046cf01037015a7bfc848532c9e0ca9286df9eb7859b49d`
`quay.io/cilium/operator-alibabacloud:v1.14.19@sha256:98398bbaa93c93d07046cf01037015a7bfc848532c9e0ca9286df9eb7859b49d`

### operator-aws

`docker.io/cilium/operator-aws:v1.14.19@sha256:a3914c09f74e822086fc861d5d287ad07e10ce31d7c41cd0e12556e5ac61c74b`
`quay.io/cilium/operator-aws:v1.14.19@sha256:a3914c09f74e822086fc861d5d287ad07e10ce31d7c41cd0e12556e5ac61c74b`

### operator-azure

`docker.io/cilium/operator-azure:v1.14.19@sha256:c46d2b59c318430be2dc19ec2ad9724414915b3e46124356bbcaa38c95401701`
`quay.io/cilium/operator-azure:v1.14.19@sha256:c46d2b59c318430be2dc19ec2ad9724414915b3e46124356bbcaa38c95401701`

### operator-generic

`docker.io/cilium/operator-generic:v1.14.19@sha256:3201b8a127dc5344f31c89b5c199f15d90eb5a56a997ba933707ba0dbf69322e`
`quay.io/cilium/operator-generic:v1.14.19@sha256:3201b8a127dc5344f31c89b5c199f15d90eb5a56a997ba933707ba0dbf69322e`

### operator

`docker.io/cilium/operator:v1.14.19@sha256:03ff2ea917a6de911acc3c42bc8bc33e7ae251c15b82851c1e8f222eb578fdca`
`quay.io/cilium/operator:v1.14.19@sha256:03ff2ea917a6de911acc3c42bc8bc33e7ae251c15b82851c1e8f222eb578fdca`

Summary of Changes
------------------

**Minor Changes:**
* envoy: Use yaml format for bootstrap config (Backport PR cilium/cilium#36781, Upstream PR cilium/cilium#36820, @sayboras)
* vendor: Bump gateway-api version to v1.2.1 (Backport PR cilium/cilium#36781, Upstream PR cilium/cilium#36773, @sayboras)

**Bugfixes:**
* envoy: Configure internal address config based on IP family (Backport PR cilium/cilium#36781, Upstream PR cilium/cilium#36733, @sayboras)

**CI Changes:**
* [v1.17] gh: replace kernel development trees with 6.12 kernel (cilium/cilium#36841, @julianwiedmann)
* gha: Disable envoy version check in upgrade/downgrade tests (Backport PR cilium/cilium#36739, Upstream PR cilium/cilium#36734, @sayboras)
* github: Fix branch name in build-go-caches.yaml (cilium/cilium#36906, @michi-covalent)

**Misc Changes:**
* chore(deps): update all github action dependencies (v1.17) (cilium/cilium#36759, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#36724, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.17) (cilium/cilium#36849, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.17) (cilium/cilium#36894, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.4 docker digest to 7ea4c9d (v1.17) (cilium/cilium#36848, @cilium-renovate[bot])
* chore(deps): update helm/kind-action action to v1.12.0 (v1.17) (cilium/cilium#36837, @cilium-renovate[bot])
* chore(deps): update kindest/node docker tag to v1.29.12 (v1.17) (cilium/cilium#36758, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.17) (patch) (cilium/cilium#36722, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.17) (patch) (cilium/cilium#36836, @cilium-renovate[bot])
* doc: fix typo on kubeproxy-free (CEV -> CVE) (Backport PR cilium/cilium#36739, Upstream PR cilium/cilium#36701, @alagoutte)
* ingress, gateway-api: Convert test fixtures to file based (Backport PR cilium/cilium#36781, Upstream PR cilium/cilium#36732, @sayboras)
* ingress, gateway-api: Convert test fixtures to file based (Backport PR cilium/cilium#36781, Upstream PR cilium/cilium#36810, @sayboras)
* Remove reference to DNS polling (Backport PR cilium/cilium#36739, Upstream PR cilium/cilium#36679, @JacobHenner)
* vendor: bump ebpf-go to 0.17 (Backport PR cilium/cilium#36781, Upstream PR cilium/cilium#36723, @ti-mo)

**Other Changes:**
* [v1.17] gha: use /test to trigger tests in stable branches (cilium/cilium#36690, @giorio94)
* install: Update image digests for v1.17.0-rc.0 (cilium/cilium#36693, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0-rc.1@sha256:a6e0b8285dc7979e89d2cec34fbd0c5997a459f1870ebd42c8ece3e061cf5f7e`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0-rc.1@sha256:2b7b7d2b97f635f6fb8cc238f3d3c2243ad77148fd5bd926cd59d21a7d6d1154`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0-rc.1@sha256:1d28c407cf853a89231d2b07e1f4b74e033b6067f755844c1ef6fb3c34865d1f`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0-rc.1@sha256:c5dc43e38cd54b332787f7da273dcffaf8fb0fc17826dc27ee53d1a9f7a5ee91`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0-rc.1@sha256:ada65be66352e2be8bb1170039f80ef89bb84a77be386d0445761a442ccee666`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0-rc.1@sha256:4bf0d1caddc56a826b5ffc21db9494284c65cd5ca5e531b935140f366367a4a6`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0-rc.1@sha256:b2549f4216a27001614235388a0f793d7d0113e36f70eca72292ab8a3b40f36c`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0-rc.1@sha256:67ecfb0e0f752faa3a83dd85e6a94b921a1cdb37c1c34750e17d2344932153a8`

### operator

`quay.io/cilium/operator:v1.17.0-rc.1@sha256:e3fa5d66a5d88dcbdc5cd1644ab76dbbf58bdef12c6f5faccebc51fd32c845dc`

Summary of Changes
------------------

**Major Changes:**
* Add support for pod level Networking QoS classes with BW Manager and FQ (cilium/cilium#36025, @hemanthmalla)
* bgp: remove metallb bgp integration. (cilium/cilium#36191, @harsimran-pabla)
* CLI: cilium upgrade preserve prev config (cilium/cilium#36347, @saiaunghlyanhtet)
* HTTP policies are now supported on port ranges. (cilium/cilium#36056, @jrajahalme)

**Minor Changes:**
* Add option for user-supplied Envoy bootstrap configmaps in helm chart (cilium/cilium#35597, @byxorna)
* Adds the ability to add labels to external CIDRs for policy selection and Hubble flows. (cilium/cilium#36087, @squeed)
* Allow delegated IPAM to specify uplink interface (cilium/cilium#34779, @ruicao93)
* Batch processing of Service and EndpointSlices up to 200 milliseconds to merge repeated changes to a single Service. This significantly reduces the amount of processing Cilium performs for Services with many EndpointSlices. (cilium/cilium#36466, @joamaki)
* BGP: Introducing metrics for tracking health of BGP subsystem reconcile loop (cilium/cilium#36369, @harsimran-pabla)
* bpffs: Use defaults.BPFFSRoot to distinguish default/custom BPF FS mount location (cilium/cilium#36150, @rastislavs)
* CFP: Egress Gateway Additional NodeSelectors (cilium/cilium#35421, @chaunceyjiang)
* cilium-cli: Derive the default version from cilium/charts (cilium/cilium#36344, @michi-covalent)
* ciliumidentity: Fixes missing enqueue time tracker entries (cilium/cilium#36548, @ovidiutirla)
* docs, daemon: Deprecate high-scale ipcache mode (cilium/cilium#36373, @pchaigno)
* docs: Remove cassandra and memcached examples (cilium/cilium#36477, @joestringer)
* Documentation: Add more details regarding svc lb map sizing. (cilium/cilium#36217, @tommyp1ckles)
* endpoint: Add an option to lock endpoints down (that is, drop all traffic) when their policy maps overflow. (cilium/cilium#35042, @nathanjsweet)
* envoy: Bump cilium-envoy to latest version (cilium/cilium#36295, @sayboras)
* hive/metrics: Fix flaky test (cilium/cilium#36418, @ovidiutirla)
* k8s: Bump k8s to v1.32.0 (cilium/cilium#36534, @sayboras)
* k8s: Bump k8s to v1.32.rc-2 (cilium/cilium#36412, @sayboras)
* operator: Add more common metrics to operator (kvstore, rate-limiting, version) (cilium/cilium#36014, @odinuge)
* service: Cap number of backends included in monitor message (cilium/cilium#36394, @joamaki)
* The agent now tries to deduplicate the strings and maps holding Kubernetes labels and annotations to reduce overall memory consumption. (cilium/cilium#36294, @joamaki)

**Bugfixes:**
* Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (cilium/cilium#36484, @julianwiedmann)
* bgpv2: Do not fail if PeerAddress is not configured for a peer (cilium/cilium#36488, @rastislavs)
* Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (cilium/cilium#36252, @bimmlerd)
* cilium: LB source ranges fixes (cilium/cilium#36517, @borkmann)
* DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (cilium/cilium#36142, @jrajahalme)
* Do not leak ipcache entries when apiserver entities are cluster external (cilium/cilium#35868, @hemanthmalla)
* eni.subnetTagsFilter and eni.instanceTagsFilter are now templated to comma separated string (cilium/cilium#36617, @sderoe)
* Fix connectivity issue caused by stale cilium eBPF program when using --bpf-filter-priority (cilium/cilium#36176, @tamilmani1989)
* gateway-api: Fix gateway checks for namespace (cilium/cilium#35452, @sayboras)
* helm: avoid setting bpf-lb-sock-terminate-pod-connections (cilium/cilium#36508, @ysksuzuki)
* metrics/features: remove reporting metrics' defaults by default (cilium/cilium#36298, @aanm)
* Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (cilium/cilium#36504, @viktor-kurchenko)
* sysctlfix: close systemd config file before triggering reload (cilium/cilium#36368, @dylandreimerink)
* ui: drop CORS headers from api response (cilium/cilium#35762, @geakstr)

**CI Changes:**
* .github/workflows: Enable DualStack for conformance-kind-proxy-embedded (cilium/cilium#36398, @dylandreimerink)
* ariane: don't run tests for renovate config changes (cilium/cilium#36543, @tklauser)
* bpf/tests: test ipv6 udp packets when redirecting from l3 to l2 (cilium/cilium#36536, @rgo3)
* ci/ipsec: Cilium agents in ci-ipsec-e2e no longer share host's boot ID (cilium/cilium#35951, @jschwinger233)
* ci: add network policy scale test (cilium/cilium#35278, @marseel)
* ci: configure connectivity test in delegated ipam e2e (cilium/cilium#36475, @wedaly)
* ci: datapath-verifier: also run on 6.12 kernel (cilium/cilium#36619, @julianwiedmann)
* ci: fix job names for various ci workflows (cilium/cilium#36397, @marseel)
* cilium-cli/connectivity: disable warning log checks before v1.17 (cilium/cilium#36358, @giorio94)
* cilium-cli/connectivity: fix IPv6 feature check for 2ndary node IPv6 (cilium/cilium#36513, @tklauser)
* Fix cilium CLI connectivity tests in IPv6-only clusters. (cilium/cilium#36026, @wedaly)
* gh: conformance-clustermesh: test with IPsec + BPF NodePort (cilium/cilium#36384, @julianwiedmann)
* gh: e2e-upgrade: add coverage for 6.12 kernel (cilium/cilium#36640, @julianwiedmann)
* gh: e2e-upgrade: add coverage for 6.6 kernel (cilium/cilium#36626, @julianwiedmann)
* gh: e2e-upgrade: de-renovate the config example (cilium/cilium#36463, @julianwiedmann)
* gha: always collect and upload sysdump if 100 nodes scale test fails (cilium/cilium#36367, @giorio94)
* gha: always respect the given image-tag in the helm-default action (cilium/cilium#36293, @giorio94)
* gha: configure environment in build-images-base/image-digests job (cilium/cilium#36318, @giorio94)
* gha: default the helm-default image-tag also in pull request workflows (cilium/cilium#36314, @giorio94)
* gha: Enable parallel requests for L7 tests (cilium/cilium#36623, @sayboras)
* gha: extra Cilium agents CPU and Mem metrics in clustermesh scale test (cilium/cilium#36481, @giorio94)
* gha: Use ubuntu-24.04 for integration-test (cilium/cilium#36628, @sayboras)
* Quarantine of high-scale IPcache (cilium/cilium#36376, @Artyop)
* test/k8s: remove unused migrate-svc manifests (cilium/cilium#36388, @tklauser)
* Update oss-fuzz CI workflow (cilium/cilium#36472, @joestringer)

**Misc Changes:**
* .gitattributes: Syntax highlight bpftrace script (cilium/cilium#36512, @pchaigno)
* .github/workflows: do not fail ginkgo if unable to fetch features (cilium/cilium#36461, @aanm)
* .github: fix conformance-k8s NP test (cilium/cilium#36355, @aanm)
* Add documentation for feature metrics (cilium/cilium#36579, @aanm)
* Add Kakao to USERS.md (cilium/cilium#36630, @gyutaeb)
* Add policy-related features tracking in Cilium agent as prometheus metrics (cilium/cilium#36203, @aanm)
* Add test for generation and extraction of debug symbols. Add debug symbol support for gdb. (cilium/cilium#36515, @EricMountain)
* Add the tls:// prefix in the Hubble TLS doc (cilium/cilium#36410, @liyihuang)
* Add versioning to drop notify events. (cilium/cilium#35413, @sypakine)
* api: silence warning if API response failed due to connection closed (cilium/cilium#36332, @giorio94)
* bgp: remove metallb-bgp documentation (cilium/cilium#36306, @harsimran-pabla)
* bpf: add host_wg_encrypt hook (cilium/cilium#36266, @rgo3)
* bpf: Avoid implicit shorten-64-to-32 in clang 19 (cilium/cilium#36186, @sayboras)
* bpf: host: exit early when to-host handles to-proxy traffic (cilium/cilium#36395, @julianwiedmann)
* bpf: host: minor cleanups (cilium/cilium#36574, @julianwiedmann)
* bpf: host: misc improvements for cil_from_netdev() / cil_from_host() (cilium/cilium#36360, @julianwiedmann)
* bpf: host: remove unused code in handle_netdev() (cilium/cilium#36328, @julianwiedmann)
* bpf: nodeport: forward L7 svc traffic straight to proxy (cilium/cilium#36383, @julianwiedmann)
* bpf: proxy: cleanup ctx_redirect_to_proxy_first_tproxy() (cilium/cilium#36382, @julianwiedmann)
* bpf: proxy: split out the TPROXY parts from ctx_redirect_to_proxy_first() (cilium/cilium#36327, @julianwiedmann)
* build(deps): bump tornado from 6.4.1 to 6.4.2 in /Documentation (cilium/cilium#36586, @dependabot[bot])
* Bump github.com/mdlayher/arp to latest, adjust usage (cilium/cilium#36571, @tklauser)
* Bump StateDB to v0.3.4 and refactor db command usages (cilium/cilium#36325, @joamaki)
* certloader: prevent panic when Watcher.Stop is called multiple times (cilium/cilium#36366, @devodev)
* chore(deps): update all github action dependencies (main) (cilium/cilium#36439, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#36501, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#36605, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36436, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36606, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36316, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36440, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36499, @cilium-renovate[bot])
* chore(deps): update cilium/cilium-cli action to v0.16.22 (main) (cilium/cilium#36500, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.21 (main) (cilium/cilium#36420, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.22 (main) (cilium/cilium#36514, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.4 docker digest to 7003184 (main) (cilium/cilium#36604, @cilium-renovate[bot])
* chore(deps): update go to v1.23.4 (main) (cilium/cilium#36437, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.3-1733229491-16e43f505747e9351d9e96927f02d72eecffa3e4 (main) (cilium/cilium#36348, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.4-1733710912-e119b3d3cbe9727886d0a502a5dcfc3d55acbe58 (main) (cilium/cilium#36453, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.4-1734096493-fff09f16c2c269b22509c86dfc1d3e8f52eb3857 (main) (cilium/cilium#36607, @cilium-renovate[bot])
* Cilium-cli connectivity test now supports use of parallel requests with curl (cilium/cilium#35949, @jrajahalme)
* cilium: Dump supported svc annotations (cilium/cilium#36353, @borkmann)
* cilium: streamline lb mode config to lb alg (cilium/cilium#36297, @borkmann)
* CODEOWNERS: Add feature owners for masquerade (cilium/cilium#36378, @joestringer)
* CODEOWNERS: create new group hubble-metrics (cilium/cilium#35991, @rectified95)
* Connecticity tests with L7 policies and port ranges are skipped on Cilium releases prior to 1.17. (cilium/cilium#36460, @jrajahalme)
* connectivity: run client-egress-to-cidrgroup-deny conditionally (cilium/cilium#36426, @aanm)
* contrib: suppress noop taint removal (cilium/cilium#36539, @nebril)
* daemon: disable dependent bpf-sock-lb options if bpf-sock-lb=false (cilium/cilium#36396, @tklauser)
* datapath/linux: Fix neighbor table index conversions (cilium/cilium#36429, @rastislavs)
* datapath/linux: Remove device's neighbors upon device deletion (cilium/cilium#36424, @rastislavs)
* datapath/tables: Add Neighbor statedb table and populate it in Devices Controller (cilium/cilium#36317, @rastislavs)
* Decouple orchestrator from the local node store multicast stream (cilium/cilium#36331, @pippolo84)
* defaults: bump FQDN max ips per host (cilium/cilium#36255, @bimmlerd)
* docs: Add missing default identity label in the description of identity-relevant labels' example (cilium/cilium#36558, @liyihuang)
* docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (cilium/cilium#36549, @verysonglaa)
* docs: Fix typo in multi-pool section title (cilium/cilium#36305, @joestringer)
* docs: system-requirements: require 5.4 kernel (cilium/cilium#36386, @julianwiedmann)
* Don't mark KVstoreLeaseTTL flag as hidden (cilium/cilium#36380, @hemanthmalla)
* Endpoint populate new policymap early if empty (cilium/cilium#36361, @jrajahalme)
* endpoint: stop regenerating all endpoints on every identity allocation; switch to periodic regens instead. (cilium/cilium#35815, @squeed)
* Ensure debug symbols are generated for the debug image even when stripping symbols for the release image. (cilium/cilium#36417, @EricMountain)
* envoy: Pass tofqdns-proxy-response-max-delay to Envoy (cilium/cilium#36330, @jrajahalme)
* envoy: remove incorrect comments (cilium/cilium#36385, @tklauser)
* envoy: update to latest version (cilium/cilium#36622, @mhofstetter)
* experimental: ShadowInstances from many sources (cilium/cilium#35810, @DamianSawicki)
* fix(deps): update all go dependencies main (main) (cilium/cilium#36272, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#36454, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#36550, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#36438, @cilium-renovate[bot])
* fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (main) (cilium/cilium#36529, @cilium-renovate[bot])
* fix: set netpol disablement values before disabling CEP (cilium/cilium#36339, @jshr-w)
* images: Use cilium-builder image instead of golang to build hubble (cilium/cilium#35697, @learnitall)
* ipcache: Remove metric for idempotent operations (cilium/cilium#35367, @joestringer)
* Isolate node-to-node encryption tests to wireguard (cilium/cilium#36556, @ldelossa)
* k8s: Bump k8s to v1.32.rc-1 (cilium/cilium#36352, @sayboras)
* lock: Remove StoppableWaitGroup.Done(), return done function from Add() (cilium/cilium#35892, @joamaki)
* Lower interval for icmp probes and stop on first success (cilium/cilium#36400, @marseel)
* maglev: Cleanup implementation (cilium/cilium#35885, @joamaki)
* make: Fix kind-image-fast-agent (cilium/cilium#36545, @brb)
* make: Fix kind-image-fast-agent from scratch (cilium/cilium#36587, @joestringer)
* make: Update cilium-bugtool upon fast target (cilium/cilium#36516, @brb)
* metrics/features: enable ClusterMesh (cilium/cilium#36402, @aanm)
* metrics: Sample metrics periodically and dump samples as part of sysdump (cilium/cilium#35916, @joamaki)
* Miscellaneous improvements and fixes concerning the endpoints UID checks and surrounding logic (cilium/cilium#36392, @giorio94)
* Miscellaneous improvements to the etcd ListAndWatch implementation (cilium/cilium#36091, @giorio94)
* node: remove refresh parameter from NodeNeighborRefresh (cilium/cilium#36319, @mhofstetter)
* nodemanager: cleanup clusternodesclient (cilium/cilium#36315, @mhofstetter)
* pkg/endpoint: delete unused const backupDirectorySuffix in directory.go (cilium/cilium#36601, @Sm0ckingBird)
* Policy: move ingestion to cell, batch updates (cilium/cilium#36044, @squeed)
* Prepare for release v1.17.0-pre.3 (cilium/cilium#36300, @cilium-release-bot[bot])
* Prepare v1.17 stable branch (cilium/cilium#36627, @aanm)
* promise: Replace go routine with `context.AfterFunc` (cilium/cilium#36185, @gandro)
* proxy: Take proxy port reference for new redirects immediately (cilium/cilium#36435, @jrajahalme)
* proxyports: Resolve data races in test (cilium/cilium#36399, @jrajahalme)
* proxyports: Sleep a bit longer in tests (cilium/cilium#36389, @jrajahalme)
* README: Update releases (cilium/cilium#36304, @aanm)
* renovate: do not pin digest for helm/kind-action (cilium/cilium#36459, @aanm)
* renovate: re-enable updates for github.com/mdlayher/arp (cilium/cilium#36542, @tklauser)
* Update documentation for egress masquerading behavior (cilium/cilium#36267, @liyihuang)
* Update Service Mesh Makefile targets (cilium/cilium#36350, @youngnick)
* Use bash syntax to consume env variable (cilium/cilium#36544, @ferozsalam)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0-rc.0@sha256:fd460ee60e3d5dc785128539aa4cf7e2f797b994602d27ec69146eb50fbf4b95`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0-rc.0@sha256:f02419adf8265518f464a15a5434cbdab870b60930a2f0017a3bd0d9cd6f77d7`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0-rc.0@sha256:79e817b338e9921c093d3dac80005054f37a3bf96f37b54cfbbe8a7f5e9920dc`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0-rc.0@sha256:ecf1a7133c73603a59dacabb2ca3756b938465bc05d78396e3bca3afd63b90ed`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0-rc.0@sha256:296eadb324441538049996ae3a780db1ac909d98c9f820fdeee110023fbf3a94`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0-rc.0@sha256:f204409d9fb9e176a062c16eb9f6c564bbed450b06409f3f2afe9cbddb9af8fe`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0-rc.0@sha256:9e77740f394b0ec27c6a51f6bee239e40fc9f5b3cd70bd7bcc4244c1ad538ea7`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0-rc.0@sha256:2b60ecc195ed929113e49d648aad491981153693a905bff93d5939f93c97bd8f`

### operator

`quay.io/cilium/operator:v1.17.0-rc.0@sha256:cdac6386e20e1520d42a9e1b94e8ce5d3736562c44fe4b0da35cb3ddbdeea68f`

Summary of Changes
------------------

**Minor Changes:**
* hubble: Stop building 32-bit binaries (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35974, @michi-covalent)

**Bugfixes:**
* Address potential connectivity disruption when using either L7 / DNS Network policies in combination with per-endpoint routes and hostLegacyRouting, or L7 / DNS network policies in combination with IPsec network encryption. (Backport PR cilium/cilium#36540, Upstream PR cilium/cilium#36484, @julianwiedmann)
* bgp: fix race in bgp stores (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35971, @harsimran-pabla)
* BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36230, @rastislavs)
* BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36165, @rastislavs)
* Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (Backport PR cilium/cilium#36049, Upstream PR cilium/cilium#35984, @jrajahalme)
* Cilium no longer keeps old DNS-IP mappings alive while reaping newer ones, leading to spurious drops in connections to domains with many IPs associated. (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36252, @bimmlerd)
* cilium-health-ep controller is made to be more robust against successive failures. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35936, @jrajahalme)
* DNS proxy port is no longer released when endpoint with a DNS policy fails to regenerate successfully. A potential deadlock between CEC/CCEC parser and endpoint policy update is removed. (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36142, @jrajahalme)
* Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (Backport PR cilium/cilium#36049, Upstream PR cilium/cilium#36060, @jrajahalme)
* Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (Backport PR cilium/cilium#35861, Upstream PR cilium/cilium#35098, @jschwinger233)
* Fix identity leak for kvstore identity mode (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#34893, @odinuge)
* Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (Backport PR cilium/cilium#36302, Upstream PR cilium/cilium#36292, @giorio94)
* gateway-api: Fix gateway checks for namespace (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#35452, @sayboras)
* gha: Remove hostLegacyRouting in clustermesh (Backport PR cilium/cilium#36357, Upstream PR cilium/cilium#35418, @sayboras)
* helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#36005, @devodev)
* hubble: consistently use v as prefix for the Hubble version (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#35891, @rolinh)
* iptables: Fix data race in iptables manager (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35902, @pippolo84)
* lrp: update LRP services with stale backends on agent restart (Backport PR cilium/cilium#36106, Upstream PR cilium/cilium#36036, @ysksuzuki)
* policy: Fix bug that allowed port ranges to be attached to L7 policies, which is not permitted. (cilium/cilium#36050, @nathanjsweet)
* Unbreak the cilium-dbg preflight migrate-identity command (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36089, @giorio94)
* Use `strconv.Itoa` instead of `string()` for the correct behavior when converting `kafka.ErrorCode` from `int32` to `string`. Add relevant unit tests for Kafka plugin and handler. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35856, @nddq)

**CI Changes:**
* [v1.16] ci: modularize chart CI push workflow (cilium/cilium#35958, @ferozsalam)
* gh: conformance-clustermesh: test with IPsec + BPF NodePort (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36384, @julianwiedmann)
* gha: configure environment in build-images-base/image-digests job (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36318, @giorio94)
* node_local_store: prevent racey tests while using mock node store. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35945, @tommyp1ckles)
* Remove unnecessary hubble port-forward commands (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#33523, @michi-covalent)

**Misc Changes:**
* [v1.16] docs: egress masquerade selector (cilium/cilium#36333, @viktor-kurchenko)
* [v1.16] images: bump cni plugins to v1.6.0 (cilium/cilium#36092, @ferozsalam)
* bugtool: dump tail-call map for bpf_wireguard (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36183, @julianwiedmann)
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#36155, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#36275, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#36443, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (patch) (cilium/cilium#36277, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#35546, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#36152, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#36279, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#36444, @cilium-renovate[bot])
* chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.16) (cilium/cilium#36153, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.16) (cilium/cilium#36222, @cilium-renovate[bot])
* chore(deps): update go to v1.22.10 (v1.16) (cilium/cilium#36441, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1732605705-2aa20ee3acb68cd38d57669af19508bea8f0ba62 (v1.16) (cilium/cilium#36180, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.16) (cilium/cilium#36495, @cilium-renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.16) (cilium/cilium#36278, @cilium-renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.16) (cilium/cilium#36442, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.16) (patch) (cilium/cilium#36154, @cilium-renovate[bot])
* docs: Add the tls:// prefix before the IP address (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36118, @liyihuang)
* docs: Fix typo in multi-pool section title (Backport PR cilium/cilium#36312, Upstream PR cilium/cilium#36305, @joestringer)
* docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35923, @yilas)
* docs: lrp: fix kernel version requirement for skipRedirectFromBackend (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35921, @ysksuzuki)
* docs: system-requirements: require 5.4 kernel (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36386, @julianwiedmann)
* docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36208, @julianwiedmann)
* Endpoint populate new policymap early if empty (Backport PR cilium/cilium#36479, Upstream PR cilium/cilium#36361, @jrajahalme)
* envoy: Configure internal_address_config to avoid warning log (Backport PR cilium/cilium#36015, Upstream PR cilium/cilium#35943, @sayboras)
* envoy: Pass tofqdns-proxy-response-max-delay to Envoy (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36330, @jrajahalme)
* fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.16) (cilium/cilium#36530, @cilium-renovate[bot])
* Fixed BGP documentation (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35953, @seadog007)
* images: Use cilium-builder image instead of golang to build hubble (Backport PR cilium/cilium#36312, Upstream PR cilium/cilium#35697, @learnitall)
* lrp: fix kernel version requirement in warning log (Backport PR cilium/cilium#36286, Upstream PR cilium/cilium#36141, @ysksuzuki)
* Makefile: fix swagger definition for automatic renovate updates (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35979, @aanm)
* proxy: Take proxy port reference for new redirects immediately (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36435, @jrajahalme)
* proxyports: Resolve data races in test (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36399, @jrajahalme)
* proxyports: Sleep a bit longer in tests (Backport PR cilium/cilium#36468, Upstream PR cilium/cilium#36389, @jrajahalme)
* Remove duplicated watch on services and endpoint in the cilium-agent (Backport PR cilium/cilium#36066, Upstream PR cilium/cilium#35838, @MrFreezeex)
* Rework error handling logic in neighbor discovery (Backport PR cilium/cilium#36093, Upstream PR cilium/cilium#35144, @pippolo84)
* Silence spurious clustermesh-related warnings (Backport PR cilium/cilium#36225, Upstream PR cilium/cilium#35867, @giorio94)
* Update documentation for egress masquerading behavior (Backport PR cilium/cilium#36462, Upstream PR cilium/cilium#36267, @liyihuang)

**Other Changes:**
* [1.16] ci/ipsec-upgrade: increase cilium status wait duration (cilium/cilium#36082, @harsimran-pabla)
* [v1.16] cilium, service: Fix checkLBSrcRange propagation to LB map (cilium/cilium#36511, @borkmann)
* install: Update image digests for v1.16.4 (cilium/cilium#36047, @cilium-release-bot[bot])
* jrajahalme/v1.16 cilium cli (cilium/cilium#36541, @jrajahalme)
* Revert "workflows/ipsec: Cover Ingress" (cilium/cilium#36116, @harsimran-pabla)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d`
`quay.io/cilium/cilium:stable@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.5@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.5@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768`
`quay.io/cilium/docker-plugin:stable@sha256:d6b4ed076ae921535c2a543d4b5b63af474288ee4501653a1f442c935beb5768`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.5@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00`
`quay.io/cilium/hubble-relay:stable@sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.5@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0`
`quay.io/cilium/operator-alibabacloud:stable@sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.5@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476`
`quay.io/cilium/operator-aws:stable@sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.5@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9`
`quay.io/cilium/operator-azure:stable@sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039`
`quay.io/cilium/operator-generic:stable@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039`

### operator

`quay.io/cilium/operator:v1.16.5@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940`
`quay.io/cilium/operator:stable@sha256:617896e1b23a2c4504ab2c84f17964e24dade3b5845f733b11847202230ca940`

Summary of Changes
------------------

**Bugfixes:**
* bgp: fix race in bgp stores (Backport PR cilium/cilium#36071, Upstream PR cilium/cilium#35971, @harsimran-pabla)
* cilium-health-ep controller is made to be more robust against successive failures. (Backport PR cilium/cilium#36071, Upstream PR cilium/cilium#35936, @jrajahalme)
* gateway-api: Fix gateway checks for namespace (Backport PR cilium/cilium#36464, Upstream PR cilium/cilium#35452, @sayboras)
* Unbreak the cilium-dbg preflight migrate-identity command (Backport PR cilium/cilium#36285, Upstream PR cilium/cilium#36089, @giorio94)

**CI Changes:**
* [v1.15] ci: modularize chart CI push workflow (cilium/cilium#35963, @ferozsalam)
* [v1.15] gha: Upgrade helm/kind-action to the latest upstream (cilium/cilium#36415, @aanm)
* gha: configure environment in build-images-base/image-digests job (Backport PR cilium/cilium#36464, Upstream PR cilium/cilium#36318, @giorio94)
* github: Pass the workflow step timeout to go test (Backport PR cilium/cilium#36071, Upstream PR cilium/cilium#35814, @jrajahalme)
* Remove unnecessary hubble port-forward commands (Backport PR cilium/cilium#36071, Upstream PR cilium/cilium#33523, @michi-covalent)

**Misc Changes:**
* [v1.15] docs: egress masquerade selector (cilium/cilium#36407, @nbusseneau)
* [v1.15] images: bump cni plugins to v1.6.0 (cilium/cilium#36090, @ferozsalam)
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#36159, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#36280, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#36449, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#36156, @cilium-renovate[bot])
* chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.15) (cilium/cilium#36157, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.22 (v1.15) (cilium/cilium#36506, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.4 (v1.15) (cilium/cilium#36146, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.15) (cilium/cilium#36223, @cilium-renovate[bot])
* chore(deps): update go to v1.22.10 (v1.15) (cilium/cilium#36446, @cilium-renovate[bot])
* chore(deps): update old stable lvh-images (v1.15) (patch) (cilium/cilium#36158, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1733138674-96535afceef9d9f5c28a96cabe4068bf4472d053 (v1.15) (cilium/cilium#36181, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733718623-70f73cfb053b8039d0541fdd0c120afc5f57a43d (v1.15) (cilium/cilium#36456, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.15) (cilium/cilium#36496, @cilium-renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241129.013349 (v1.15) (cilium/cilium#36281, @cilium-renovate[bot])
* chore(deps): update quay.io/lvh-images/kind docker tag to bpf-20241206.013345 (v1.15) (cilium/cilium#36447, @cilium-renovate[bot])
* docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR cilium/cilium#36071, Upstream PR cilium/cilium#35923, @yilas)
* docs: WireGuard doesn't require overlay port in Network Firewalls (Backport PR cilium/cilium#36285, Upstream PR cilium/cilium#36208, @julianwiedmann)
* envoy: Configure internal_address_config to avoid warning log (Backport PR cilium/cilium#36017, Upstream PR cilium/cilium#35943, @sayboras)
* fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.15) (cilium/cilium#36531, @cilium-renovate[bot])
* images: Use cilium-builder image instead of golang to build hubble (Backport PR cilium/cilium#36313, Upstream PR cilium/cilium#35697, @learnitall)
* Makefile: fix swagger definition for automatic renovate updates (Backport PR cilium/cilium#36071, Upstream PR cilium/cilium#35979, @aanm)
* Update documentation for egress masquerading behavior (Backport PR cilium/cilium#36464, Upstream PR cilium/cilium#36267, @liyihuang)

**Other Changes:**
* [1.15] xdp: make cilium_calls_xdp map per-endpoint (cilium/cilium#36099, @ti-mo)
* install: Update image digests for v1.15.11 (cilium/cilium#36046, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.12@sha256:d1793b67d976e1bc0a4ab01b34c94adfcd35a8be7612d04c6d618bf25f50f0d1`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.12@sha256:96541f82229725e21b036adffffd92270c82b4bc0f8c27795058b5f115ad5bd0`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.12@sha256:f564af976d82c09e37f17945e7de9bfc17f76a7f0f4d5529795c22d3fffd2adb`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.12@sha256:19a6458a8ea824052fe74ff06f37222f42e72df41f06b548fe07b9a22daa1203`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.12@sha256:f62872cb96278159e968e3f384ad2ebab30eef9335c2a3838c5bc0bc528398ce`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.12@sha256:a9d63cbd89e0c7ccf46460809b95e37045092dd297a1bc934afa19a83f4884aa`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.12@sha256:a89046318bbb87f9ae357566dab448871384cfc7797ef2a3c31abd903d9ec8dc`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.12@sha256:e48d863367bfd39843917400aa7454ca6a4af74f995cf29a2edb81d7d13c7277`

### operator

`quay.io/cilium/operator:v1.15.12@sha256:3c40d1c94de94629c02c2c8ee8b69ee6e16c9e60e94ecd343e2a48ebf4a6c430`

Summary of Changes
------------------

**Bugfixes:**
* cilium-health-ep controller is made to be more robust against successive failures. (Backport PR cilium/cilium#36074, Upstream PR cilium/cilium#35936, @jrajahalme)
* Unbreak the cilium-dbg preflight migrate-identity command (Backport PR cilium/cilium#36284, Upstream PR cilium/cilium#36089, @giorio94)

**CI Changes:**
* [v1.14] ci: modularize chart CI push workflow (cilium/cilium#35964, @ferozsalam)
* [v1.14] gha: Upgrade helm/kind-action to the latest upstream (cilium/cilium#36416, @aanm)
* gha: configure environment in build-images-base/image-digests job (Backport PR cilium/cilium#36465, Upstream PR cilium/cilium#36318, @giorio94)
* github: Pass the workflow step timeout to go test (Backport PR cilium/cilium#36074, Upstream PR cilium/cilium#35814, @jrajahalme)
* Remove unnecessary hubble port-forward commands (Backport PR cilium/cilium#36074, Upstream PR cilium/cilium#33523, @michi-covalent)

**Misc Changes:**
* [v1.14] docs: egress masquerade selector (cilium/cilium#36408, @nbusseneau)
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#36163, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#36282, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.14) (cilium/cilium#36160, @cilium-renovate[bot])
* chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.14) (cilium/cilium#36161, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.22 (v1.14) (cilium/cilium#36507, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.4 (v1.14) (cilium/cilium#36147, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.9 docker digest to 147f428 (v1.14) (cilium/cilium#36224, @cilium-renovate[bot])
* chore(deps): update go to v1.22.10 (v1.14) (cilium/cilium#36455, @cilium-renovate[bot])
* chore(deps): update old stable lvh-images (v1.14) (patch) (cilium/cilium#36162, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1733138674-96535afceef9d9f5c28a96cabe4068bf4472d053 (v1.14) (cilium/cilium#36182, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733718623-70f73cfb053b8039d0541fdd0c120afc5f57a43d (v1.14) (cilium/cilium#36457, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8 (v1.14) (cilium/cilium#36497, @cilium-renovate[bot])
* docs: In k0s guide, remove dashes to fix invalid Bash variable names. (Backport PR cilium/cilium#36074, Upstream PR cilium/cilium#35923, @yilas)
* envoy: Configure internal_address_config to avoid warning log (Backport PR cilium/cilium#36202, Upstream PR cilium/cilium#35943, @sayboras)
* fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (v1.14) (cilium/cilium#36532, @cilium-renovate[bot])
* images: bump cni plugins to v1.6.0 (Backport PR cilium/cilium#36088, Upstream PR cilium/cilium#36075, @ferozsalam)
* Makefile: fix swagger definition for automatic renovate updates (Backport PR cilium/cilium#36074, Upstream PR cilium/cilium#35979, @aanm)

**Other Changes:**
* [1.14] xdp: make cilium_calls_xdp map per-endpoint (cilium/cilium#36098, @ti-mo)
* install: Update image digests for v1.14.17 (cilium/cilium#36045, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`docker.io/cilium/cilium:v1.14.18@sha256:a09bd4ee7345ccdb42679985bf3e5a696ad8416e31a70a3609129bc745804123`
`quay.io/cilium/cilium:v1.14.18@sha256:a09bd4ee7345ccdb42679985bf3e5a696ad8416e31a70a3609129bc745804123`

### clustermesh-apiserver

`docker.io/cilium/clustermesh-apiserver:v1.14.18@sha256:2264b7e3ed698f38652fc18d036de1ede4e1a03c67bcb51b42a5ddc5f87df603`
`quay.io/cilium/clustermesh-apiserver:v1.14.18@sha256:2264b7e3ed698f38652fc18d036de1ede4e1a03c67bcb51b42a5ddc5f87df603`

### docker-plugin

`docker.io/cilium/docker-plugin:v1.14.18@sha256:60bb79fd8571cca182ad53f84fe4e5aa5e45c70ec1b2a48810e685fe87e7a8c5`
`quay.io/cilium/docker-plugin:v1.14.18@sha256:60bb79fd8571cca182ad53f84fe4e5aa5e45c70ec1b2a48810e685fe87e7a8c5`

### hubble-relay

`docker.io/cilium/hubble-relay:v1.14.18@sha256:a0a05a3b1aeb1429b76a00c8f6d9217427806faacbca2f7c6e340e51a683d476`
`quay.io/cilium/hubble-relay:v1.14.18@sha256:a0a05a3b1aeb1429b76a00c8f6d9217427806faacbca2f7c6e340e51a683d476`

### kvstoremesh

`docker.io/cilium/kvstoremesh:v1.14.18@sha256:e4e96cfeb112acf9e8d88bd9ccebf1d3b9e5139eb8c632075341b623bb7105c4`
`quay.io/cilium/kvstoremesh:v1.14.18@sha256:e4e96cfeb112acf9e8d88bd9ccebf1d3b9e5139eb8c632075341b623bb7105c4`

### operator-alibabacloud

`docker.io/cilium/operator-alibabacloud:v1.14.18@sha256:ccfc60f0f90ec12229f68f4ec1559dd0160424499860636c664b488dc553e05e`
`quay.io/cilium/operator-alibabacloud:v1.14.18@sha256:ccfc60f0f90ec12229f68f4ec1559dd0160424499860636c664b488dc553e05e`

### operator-aws

`docker.io/cilium/operator-aws:v1.14.18@sha256:2240199f83156dd73b993524334fd924bbc176b5101a5276cd538cb6eb325580`
`quay.io/cilium/operator-aws:v1.14.18@sha256:2240199f83156dd73b993524334fd924bbc176b5101a5276cd538cb6eb325580`

### operator-azure

`docker.io/cilium/operator-azure:v1.14.18@sha256:6c6576198e785232c8d26464fb5a9dabdddaeea22f26ce8eb06e2d5912451a82`
`quay.io/cilium/operator-azure:v1.14.18@sha256:6c6576198e785232c8d26464fb5a9dabdddaeea22f26ce8eb06e2d5912451a82`

### operator-generic

`docker.io/cilium/operator-generic:v1.14.18@sha256:f41a9f3d899e14ba34a9696e7327147cd9811fc563c255668d59658ad90aa69e`
`quay.io/cilium/operator-generic:v1.14.18@sha256:f41a9f3d899e14ba34a9696e7327147cd9811fc563c255668d59658ad90aa69e`

### operator

`docker.io/cilium/operator:v1.14.18@sha256:a94ffab61cb69549ec885aa70d4061e3acac3736c9dccf3f6b9c4e25241c950b`
`quay.io/cilium/operator:v1.14.18@sha256:a94ffab61cb69549ec885aa70d4061e3acac3736c9dccf3f6b9c4e25241c950b`

Summary of Changes
------------------

**Major Changes:**
* Add feature tracking in Cilium agent as prometheus metrics (cilium/cilium#35852, @aanm)
* Add feature tracking in Cilium Operator as prometheus metrics (cilium/cilium#36077, @aanm)
* Allow users to override the load balancing algorithm for Services by setting the `service.cilium.io/lb-algorithm` annotation. (cilium/cilium#35735, @kl52752)
* Cilium now sends TLS Interception and Header manipulation secrets referenced in CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy by reference using SDS, using the same secret synchronization method used for Ingress, Gateway API, and BGP control plane secrets. (cilium/cilium#35513, @youngnick)
* feat: add dynamically configured Hubble metrics (cilium/cilium#35185, @rectified95)

**Minor Changes:**
* Add a commonLabel to all cilium deployed resources (cilium/cilium#35628, @strongjz)
* Add cli support for impersonation --as and --as-group flags (cilium/cilium#35240, @cnmcavoy)
* Add Multi-Pool Pre-Allocation Helm chart setting (cilium/cilium#35812, @CallMeFoxie)
* Add new batched iterator type in pkg/bpf (cilium/cilium#35079, @tommyp1ckles)
* Add the option `--health-check-icmp-failure-threshold` to set the number of ICMP requests to send during health checking before marking a node or endpoint as unreachable. (cilium/cilium#36023, @pippolo84)
* Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (cilium/cilium#35809, @jrajahalme)
* Added Lock and Unlock metric for kvstore locks (cilium/cilium#36037, @odinuge)
* Adjust verification for tunnel-protocol and routing-mode in helm templates to remove occurrence of duplicate entries in rendered configmap. Remove constraint on tunnelProtocol for aksbyocni. (cilium/cilium#36226, @jonasbadstuebner)
* AWS AL2023 support (cilium/cilium#36076, @viktor-kurchenko)
* bgp: Add `neighbor_asn` label to BGP metrics (cilium/cilium#35503, @mikejoh)
* bgpv2: Add a knob to disable CRD status reporting (cilium/cilium#35976, @YutaroHayakawa)
* bpf: Enforce symmetric routing for endpoints with parent interfaces (cilium/cilium#35298, @dylandreimerink)
* cilium: Add option for lb src ranges to act as deny cidr list (cilium/cilium#36120, @borkmann)
* connectivity health checking: improve the reliability of health checking at large scales by rate-limiting probes (cilium/cilium#35163, @jshr-w)
* Decouples the creation of metrics services from ServiceMonitors in the Cilium Helm chart, providing greater flexibility for Prometheus integration. (cilium/cilium#36013, @saiaunghlyanhtet)
* Disable deprecated support for running the Cilium KVStore in pod network (cilium/cilium#35741, @giorio94)
* Don't mark the agent as ready until successfully connecting to the kvstore (if enabled) (cilium/cilium#36035, @giorio94)
* Egress masquerade multiple interfaces fix (cilium/cilium#36103, @viktor-kurchenko)
* envoy: Bump envoy version to v1.31 (cilium/cilium#35959, @sayboras)
* helm: New socketLB.tracing flag (cilium/cilium#35747, @pchaigno)
* hubble: from and to cluster filters (cilium/cilium#33325, @kaworu)
* hubble: Stop building 32-bit binaries (cilium/cilium#35974, @michi-covalent)
* images: Update LLVM to 18.1.8 (cilium/cilium#36197, @sayboras)
* Improve the CiliumNode to KVStore synchronization logic of the Cilium operator (cilium/cilium#35840, @giorio94)
* introducing a new CLI option to display ipcache information by labels or cidr (cilium/cilium#35275, @vasu-dasari)
* k8s: Add support for 1.32.0 (cilium/cilium#36235, @sayboras)
* Limit FQDNS matchName and matchPattern length to 255 characters (cilium/cilium#35577, @rudrakhp)
* operator: improve the responsiveness of tainting and setting conditions on k8s nodes (cilium/cilium#35785, @marseel)
* operator: make max consecutive quorum errors configurable (cilium/cilium#36033, @giorio94)
* policy: Add selectorcache cardinality metrics (cilium/cilium#35859, @joestringer)
* Remove support for the insecure, deprecated global IPsec key. Per-tunnel IPsec keys will now be used regardless of the IPsec secret format. (cilium/cilium#34709, @pchaigno)
* Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (cilium/cilium#35900, @smagnani96)
* Stop propagating duplicate health and ingress endpoint information to the kvstore (cilium/cilium#35997, @giorio94)
* sysdump: respect worker count and collect Cilium profiling data as first task (cilium/cilium#35897, @giorio94)

**Bugfixes:**
* bgp: fix race in bgp stores (cilium/cilium#35971, @harsimran-pabla)
* BGPv1: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (cilium/cilium#36230, @rastislavs)
* bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (cilium/cilium#35690, @YutaroHayakawa)
* BGPv2: Fix race by reconciliation of services with externalTrafficPolicy=Local by populating locally available services after performing service diff (cilium/cilium#36165, @rastislavs)
* bpf:nat: restore a NAT entry if its REV NAT is not found (cilium/cilium#35304, @sugangli)
* Cilium agent now waits until endpoints have restored before starting accepting new xDS streams. (cilium/cilium#35984, @jrajahalme)
* cilium-cli/connectivity: fix nil-pointer dereference if minimum version can't be detected (cilium/cilium#35802, @tklauser)
* cilium-health-ep controller is made to be more robust against successive failures. (cilium/cilium#35936, @jrajahalme)
* config: Remove superfluous warning on native routing CIDR (cilium/cilium#35738, @gandro)
* Envoy "initial fetch timeout" warnings are now demoted to info level, as they are expected to happen during Cilium Agent restart. (cilium/cilium#36060, @jrajahalme)
* Export Map{Key,Value} fields to prevent `map {get,list}` handler panics. (cilium/cilium#36219, @tommyp1ckles)
* Fix bug that would break all pod-to-pod connectivity when using the per-tunnel IPsec key system. (cilium/cilium#35806, @pchaigno)
* Fix identity leak for kvstore identity mode (cilium/cilium#34893, @odinuge)
* Fix incorrect trace reason for egress packets when WireGuard is used with Host Firewall. (cilium/cilium#35354, @smagnani96)
* Fix potential Cilium agent panic during endpoint restoration, occurring if the corresponding pod gets deleted while the agent is restarting. This regression only affects Cilium v1.16.4. (cilium/cilium#36292, @giorio94)
* Fix: cilium-cli install --repository flag respects repository even with cached versions. (cilium/cilium#35670, @renyunkang)
* Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (cilium/cilium#35694, @julianwiedmann)
* Fixes a bug where identities may be leaked if a pod changes labels and is immediately deleted. (cilium/cilium#35947, @orange30)
* Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (cilium/cilium#35890, @squeed)
* Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (cilium/cilium#35624, @pippolo84)
* helm: fix duplicate configmap key for `bpf-lb-sock-terminate-pod-connections` (cilium/cilium#35703, @solidDoWant)
* helm: set automountServiceAccountToken to false for hubble-relay sa (cilium/cilium#35674, @ayuspin)
* helm: Use an absolute FQDN for the Hubble peer-service endpoint to avoid incorrect DNS resolution outside the cluster (cilium/cilium#36005, @devodev)
* hubble: consistently use v as prefix for the Hubble version (cilium/cilium#35891, @rolinh)
* hubble: Lock exporters while gathering metrics (cilium/cilium#35860, @joestringer)
* ipam: Avoid empty CIDR in ENI mode (cilium/cilium#35695, @sayboras)
* ipam: Validate CiliumNode resource in ENI mode (cilium/cilium#35784, @sayboras)
* iptables: Fix data race in iptables manager (cilium/cilium#35902, @pippolo84)
* k8s: Avoid panic while checking ip mode (cilium/cilium#35782, @sayboras)
* lrp: update LRP services with stale backends on agent restart (cilium/cilium#36036, @ysksuzuki)
* option: Reduce log level for WG strict mode + IPv6 (cilium/cilium#35763, @pchaigno)
* pkg/redirectpolicy: Fix backend slices in processConfig (cilium/cilium#35496, @Sm0ckingBird)
* policy/correlation: Fix `PolicyMatchL3Proto` case (cilium/cilium#35680, @gandro)
* Unbreak the cilium-dbg preflight migrate-identity command (cilium/cilium#36089, @giorio94)
* Use `strconv.Itoa` instead of `string()` for the correct behavior when converting `kafka.ErrorCode` from `int32` to `string`. Add relevant unit tests for Kafka plugin and handler. (cilium/cilium#35856, @nddq)
* wireguard: Fix connectivity issues following node reboots. (cilium/cilium#35750, @jrife)

**CI Changes:**
* .github: extend timeout for tests-e2e-upgrade workflow (cilium/cilium#35696, @rastislavs)
* .github: quote arguments in bash string comparison (cilium/cilium#35842, @devodev)
* .github: remove use of deprecated --disable-check cilium-cli option (cilium/cilium#35776, @tklauser)
* .github: Use --input-file when testing piping flows into Hubble CLI (cilium/cilium#35858, @chancez)
* Additionally test KVStore mode in E2E/IPSec workflows (cilium/cilium#35679, @giorio94)
* ci: add watch request thresholds (cilium/cilium#35808, @marseel)
* ci: fix cleanup of stale kops clusters. (cilium/cilium#35986, @marseel)
* ci: fix native wireguard encryption (cilium/cilium#35520, @marseel)
* CI: Update tested K8S versions (cilium/cilium#35726, @brlbil)
* ci: use the VERSION file from the PR branch in push-charts-ci.yaml (cilium/cilium#35950, @ferozsalam)
* cilium-cli/connectivity: allow to specify log levels to check (cilium/cilium#36231, @tklauser)
* cilium-cli: Improve tcpdump termination timeout handling (cilium/cilium#36021, @liyihuang)
* cilium-cli: retry exec-in-pod requests in case of transient errors (cilium/cilium#35961, @tklauser)
* cilium-cli: Run BGP tests sequentially (cilium/cilium#35727, @rastislavs)
* Cleanup leaked GCE kops clusters (cilium/cilium#35915, @marseel)
* cli/connectivity: Check for unexpected warning logs (cilium/cilium#35723, @pchaigno)
* cli: Don't ignore datapath bug packet drops (cilium/cilium#36105, @pchaigno)
* datapath: Improve XFRM leak tests (cilium/cilium#35796, @pchaigno)
* Enabling IPSec pod-to-pod-with-l7-policy-encryption connectivity test for v1.15 and v1.16. (cilium/cilium#35742, @smagnani96)
* Fix flake in node manager `TestNodeManagerEmitStatus` test (cilium/cilium#36097, @glrf)
* gha: Add coverage for policy secret sync (cilium/cilium#36040, @sayboras)
* gha: Enable ingress-controller in e2e tests (cilium/cilium#36043, @sayboras)
* gha: enable the log-errors check in the clustermesh upgrade workflow (cilium/cilium#35739, @giorio94)
* gha: merge artifacts in net-perf-gke workflow (cilium/cilium#36236, @giorio94)
* gha: test disabled kvstoremesh clustermesh upgrade/downgrade tests (cilium/cilium#36242, @giorio94)
* gha: uniform downgrade settings in clustermesh upgrade/downgrade test (cilium/cilium#36239, @giorio94)
* ginkgo: Get rid of K8sUpdates (cilium/cilium#35035, @brb)
* github: bump LVH image versions (cilium/cilium#35719, @julianwiedmann)
* github: Checkout code before running cilium/cilium-cli action (cilium/cilium#36117, @michi-covalent)
* github: Pass the workflow step timeout to go test (cilium/cilium#35814, @jrajahalme)
* github: Simplify the checkout logic (cilium/cilium#36190, @michi-covalent)
* hubble: ignore some testifylint linter errors (cilium/cilium#36096, @rolinh)
* ipsec: Fix arguments in XFRM IN policy test (cilium/cilium#36030, @pchaigno)
* node_local_store: prevent racey tests while using mock node store. (cilium/cilium#35945, @tommyp1ckles)
* renovate: Fix image updates for IPsec workflows (cilium/cilium#35555, @pchaigno)
* renovate: use proper image repository for config check (cilium/cilium#36227, @tklauser)
* renovate: various smaller updates (cilium/cilium#36135, @julianwiedmann)
* test, cli/connectivity: Remove stale error log exceptions (cilium/cilium#35848, @pchaigno)
* test: remove --service-no-backend-response warning from ignore list (cilium/cilium#35830, @julianwiedmann)
* treewide: use {assert|require}.JSONEq to compare JSON strings in tests (cilium/cilium#35960, @rolinh)
* Update push-chart-ci.yaml to pass variables through the environmnet (cilium/cilium#36061, @pwntester)
* workflows/clustermesh: Improve naming of on-failure sysdumps (cilium/cilium#35748, @pchaigno)
* workflows/ingress: Run basic checks (cilium/cilium#35683, @pchaigno)
* workflows/ipsec: Disable mutual auth (cilium/cilium#35932, @pchaigno)

**Misc Changes:**
* .github/workflows: always install cilium-cli (cilium/cilium#36234, @aanm)
* Add Alauda to the USERS.md (cilium/cilium#35862, @oilbeater)
* Add cmdref generated documentation for clustermesh-apiserver (cilium/cilium#36205, @HadrienPatte)
* Add coverage for SNI enforcement in cilium-cli connectivity tests. (cilium/cilium#35887, @jrajahalme)
* Add Incentive.me to USERS.md (cilium/cilium#35704, @lucasfcnunes)
* Add more features tracking in Cilium agent as prometheus metrics (cilium/cilium#36078, @aanm)
* add Netcloud AG to USERS.md (cilium/cilium#35981, @janung)
* allocator: correctly propagate context to RunGC call (cilium/cilium#36034, @giorio94)
* bgp: remove metallb bgp ginkgo tests (cilium/cilium#36192, @harsimran-pabla)
* bgpv2: Fix the wrong termination condition of cleanup-peer-config-status (cilium/cilium#36245, @YutaroHayakawa)
* bgpv2: relax mandatory PeerASN field in BGP peer configuration (cilium/cilium#35817, @harsimran-pabla)
* bgpv2: Status reporting document (cilium/cilium#36134, @YutaroHayakawa)
* bpf datapath now manages policy verdict precedence between L3 and wildcard-L3 policy map matches (cilium/cilium#35449, @jrajahalme)
* bpf: clean up CB_IFINDEX (cilium/cilium#36133, @julianwiedmann)
* bpf: egressgw: support policy entry with egress ifindex (cilium/cilium#36151, @julianwiedmann)
* bpf: icmp6: check nexthdr before loading ICMPv6 type (cilium/cilium#36249, @julianwiedmann)
* bpf: minor SNAT improvements (cilium/cilium#35531, @julianwiedmann)
* bpf: nat: support more embedded ICMP types for DEST_UNREACH packet (cilium/cilium#36179, @julianwiedmann)
* bpf: nodeport: replace 0 identity with UNKNOWN_ID (cilium/cilium#36137, @julianwiedmann)
* bugtool: deprecate flag `k8s-mode` (cilium/cilium#35689, @mhofstetter)
* bugtool: dump tail-call map for bpf_wireguard (cilium/cilium#36183, @julianwiedmann)
* Centralize policy calculation in the PolicyRepository (cilium/cilium#35941, @squeed)
* cgroup: downgrade the socket LB tracing setup failure log to Info (cilium/cilium#35775, @ysksuzuki)
* chore(deps): update all github action dependencies (main) (cilium/cilium#35713, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#35729, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#36140, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#36270, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#36007, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (patch) (cilium/cilium#36124, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#35706, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#35765, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36008, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36125, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36145, @cilium-renovate[bot])
* chore(deps): update all lvh-images main (main) (patch) (cilium/cilium#36271, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35712, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35911, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36009, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#36139, @cilium-renovate[bot])
* chore(deps): update cilium/little-vm-helper action to v0.0.19 (main) (cilium/cilium#36149, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.20 (main) (cilium/cilium#35826, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.3 docker digest to 73f06be (main) (cilium/cilium#36006, @cilium-renovate[bot])
* chore(deps): update docker/dockerfile:1.11 docker digest to 10c699f (main) (cilium/cilium#35878, @cilium-renovate[bot])
* chore(deps): update go (main) (cilium/cilium#35955, @cilium-renovate[bot])
* chore(deps): update go to v1.23.3 (main) (cilium/cilium#35827, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.62.0 (main) (cilium/cilium#35956, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.62.2 (main) (cilium/cilium#36221, @cilium-renovate[bot])
* chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (main) (cilium/cilium#35751, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1730965050-cd22d9ffa21eb4f214bf059bcc5d2f40f0c47882 (main) (cilium/cilium#35835, @cilium-renovate[bot])
* chore: fix some function names (cilium/cilium#34626, @jinjiadu)
* cilium, ci: Add netkit with per-endpoint-routes (cilium/cilium#35542, @borkmann)
* cilium-cli/install: remove deprecated no-op --disable-check flag (cilium/cilium#36110, @tklauser)
* cilium-cli: apply network policies to no-conn-disrupt test (cilium/cilium#35685, @giorio94)
* cilium-cli: Skip `nil details for Service` error in check-log-errors (cilium/cilium#35671, @rastislavs)
* cilium-cli: Use unique CNP names (cilium/cilium#36064, @jrajahalme)
* cilium-dbg: Add sysdump command (cilium/cilium#35370, @joestringer)
* cilium-dbg: Replace statedb command with "shell -- db show" (cilium/cilium#35545, @joamaki)
* cilium: per service algorithm follow-ups (cilium/cilium#36204, @borkmann)
* CiliumEnvoyConfig handling for experimental control-plane (cilium/cilium#35598, @joamaki)
* cleanup: Remove deprecated field TrafficPolicy (cilium/cilium#36187, @sayboras)
* clustermesh: fix config watcher missed events with fsnotify 1.8.0 (cilium/cilium#35770, @giorio94)
* ctmap/gc: implement stream.Observable[GCEvent] for CT Map GC (cilium/cilium#36084, @ysksuzuki)
* daemon: Catch panics in shell handler (cilium/cilium#35918, @joamaki)
* daemon: Reduce level of socket LB tracing warning (cilium/cilium#35798, @pchaigno)
* daemon: refactor Hubble Exporters as a cell (cilium/cilium#35596, @devodev)
* datapath/iptables: make --enable-xt-socket-fallback a cell flag (cilium/cilium#36111, @tklauser)
* deps, renovate: Bump GoBGP to v3.31.0 & Re-enable GoBGP dependency updates (cilium/cilium#35795, @rastislavs)
* docs/ipsec: Remove KPR limitation (cilium/cilium#35743, @pchaigno)
* docs/xfrm: Fix incorrect statement regarding XFRM IN policies (cilium/cilium#35626, @pchaigno)
* docs: Add documentation for cilium/vendor reponsibilities (cilium/cilium#34211, @learnitall)
* docs: Add documentation for Gateway API Addresses Support (cilium/cilium#35536, @chaunceyjiang)
* docs: Add generated file for new sysdump cmd (cilium/cilium#35883, @sayboras)
* docs: Add the tls:// prefix before the IP address (cilium/cilium#36118, @liyihuang)
* docs: Fix a typo in API rate-limiting documentation (cilium/cilium#36246, @usiegj00)
* docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (cilium/cilium#35725, @nvibert)
* docs: Improve dev workflow for renovate (cilium/cilium#35687, @joestringer)
* docs: In k0s guide, remove dashes to fix invalid Bash variable names. (cilium/cilium#35923, @yilas)
* docs: lrp: fix kernel version requirement for skipRedirectFromBackend (cilium/cilium#35921, @ysksuzuki)
* docs: update keyless signing link (cilium/cilium#36144, @ferozsalam)
* docs: WireGuard doesn't require overlay port in Network Firewalls (cilium/cilium#36208, @julianwiedmann)
* endpoint: Fix syncing of invalid policymap entries on upgrade (cilium/cilium#35834, @jrajahalme)
* endpoint: make restore-rules caching private (cilium/cilium#35488, @squeed)
* envoy: Configure internal_address_config to avoid warning log (cilium/cilium#35943, @sayboras)
* envoy: Configure internal_address_config to avoid warning log (cilium/cilium#36198, @sayboras)
* envoy: Limit started serving logging to the typeURL of the stream (cilium/cilium#35736, @jrajahalme)
* envoy: Update envoy image to the latest (cilium/cilium#36100, @sayboras)
* envoy: Update image for SDS headermatch crash (cilium/cilium#36177, @jrajahalme)
* experimental: Add Maglev support (cilium/cilium#35430, @DamianSawicki)
* Fix missing edsClusterConfig in CiliumClusterwideEnvoyConfig for envoy-circuit-breaker.yaml example (cilium/cilium#35647, @kachi-bits)
* fix(deps): update all go dependencies main (main) (cilium/cilium#35707, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#36138, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#35708, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#36126, @cilium-renovate[bot])
* fix(deps): update kubernetes packages to v0.31.3 (main) (cilium/cilium#36127, @cilium-renovate[bot])
* fix(deps): update module github.com/aws/aws-sdk-go-v2/service/ec2 to v1.194.0 (main) (cilium/cilium#36273, @cilium-renovate[bot])
* fix(deps): update module k8s.io/kubectl to v0.31.2 (main) (cilium/cilium#35709, @cilium-renovate[bot])
* fix(deps): update opentelemetry-go monorepo to v1.32.0 (main) (cilium/cilium#36274, @cilium-renovate[bot])
* fix: dynamicSizeRatio in "Memory available for map entries" log message (cilium/cilium#36211, @jingyuanliang)
* fix: SetBackends should always update frontends of the modified service (cilium/cilium#35864, @DamianSawicki)
* Fixed BGP documentation (cilium/cilium#35953, @seadog007)
* go.mod: Bump controller-tools to v0.16.5 (cilium/cilium#35992, @christarazi)
* golang: Enable type alias again for go 1.23 (cilium/cilium#35406, @sayboras)
* helm: clarify text for serviceNoBackendResponse (cilium/cilium#35734, @julianwiedmann)
* helm: Define a variable for common label validation exclusion (cilium/cilium#36218, @michi-covalent)
* helm: fix commonLabels parsing in hubble dashboard configmap (cilium/cilium#36196, @devodev)
* helm: Remove redundant attribute in TLS configuration (cilium/cilium#36041, @sayboras)
* helm: Support extending certgen configuration templates (cilium/cilium#35853, @chancez)
* hubble-relay: make MinTLSVersion a var (cilium/cilium#36188, @devodev)
* hubble: add a couple of "any interface" filter test cases (cilium/cilium#34984, @kaworu)
* hubble: make MinTLSVersion a var (cilium/cilium#36164, @devodev)
* images: bump cni plugins to v1.6.0 (cilium/cilium#36075, @ferozsalam)
* ipsec: Fix XFRM clean up (cilium/cilium#36031, @pchaigno)
* ipsec: Simplify XFRM IN policies and templates (cilium/cilium#35831, @pchaigno)
* k8s/epslices: ensure that all fields are always DeepCopied (cilium/cilium#36000, @giorio94)
* kvstore: drop obsolete removal of legacy prefixes (cilium/cilium#35995, @giorio94)
* lbmap: skip expensive debug log operations when disabled (cilium/cilium#35999, @giorio94)
* Logging: Add klog override matcher to remap certain errors to "info" level (cilium/cilium#35942, @tommyp1ckles)
* lrp: fix kernel version requirement in warning log (cilium/cilium#36141, @ysksuzuki)
* makefile: add target to install Cilium in kvstore mode (cilium/cilium#35646, @giorio94)
* Makefile: fix swagger definition for automatic renovate updates (cilium/cilium#35979, @aanm)
* Mark BPF-based proxy redirection (bpf-tproxy) feature as beta (cilium/cilium#35790, @hemanthmalla)
* metrics/features: refactor metric names (cilium/cilium#36209, @aanm)
* Miscellaneous improvements to DNS introspection policies in connectivity tests (cilium/cilium#36193, @giorio94)
* node: avoid JSON unserializable log field (cilium/cilium#35894, @bimmlerd)
* node: Improve local node synchronizer logging (cilium/cilium#36171, @pippolo84)
* operator/bgpv2: Relax warnings upon transient k8s errors (cilium/cilium#36256, @rastislavs)
* operator: always use controller-runtime metric registry as base (cilium/cilium#36243, @mhofstetter)
* operator: demote non-consecutive health check warnings (cilium/cilium#36238, @giorio94)
* pkg/map/stats: provide Observable[T] fields for nat iteration. (cilium/cilium#35515, @tommyp1ckles)
* pkg/metrics/bpf: new bpf_maps & bpf_progs metrics (cilium/cilium#29984, @mvisonneau)
* pkg/redirectpolicy: Delete unused variable in getAndUpsertPolicySvcCo… (cilium/cilium#35794, @Sm0ckingBird)
* policy/api: don't write zero enableDefaultDeny field (cilium/cilium#35804, @squeed)
* policy: consistent enablement in agent and operator (cilium/cilium#36167, @dlapcevic)
* policy: Do not fuzz mapState receiver (cilium/cilium#36200, @jrajahalme)
* policy: No-op Identity Allocator (cilium/cilium#35973, @dlapcevic)
* policy: Use no-op ID allocator when policy is disabled (cilium/cilium#36102, @dlapcevic)
* Prepare for release v1.17.0-pre.2 (cilium/cilium#35699, @cilium-release-bot[bot])
* proxy: Ensure proxy ports are written on shutdown (cilium/cilium#35839, @jrajahalme)
* README.rst: Update Cilium's intro picture with the up-to-date logo for Tetragon (cilium/cilium#36002, @paularah)
* README: Update releases (cilium/cilium#35701, @joestringer)
* README: Update releases (cilium/cilium#36062, @bimmlerd)
* Refactor deprecated call to grpc.DialContext in Hubble Relay (cilium/cilium#36027, @devodev)
* Remove duplicated watch on services and endpoint in the cilium-agent (cilium/cilium#35838, @MrFreezeex)
* renovate: fix API files generation using renovate (cilium/cilium#35676, @aanm)
* renovate: fix auto update of GH issue template (cilium/cilium#35675, @aanm)
* renovate: fix PS1: unbound variable error (cilium/cilium#35978, @aanm)
* Revert "sysdump: collect Cilium profiling data as first task" (cilium/cilium#35771, @giorio94)
* Silence error logs if pod is deleted during restoration (cilium/cilium#35851, @giorio94)
* Silence spurious clustermesh-related warnings (cilium/cilium#35867, @giorio94)
* sysdump: Collect crashed pod logs in cilium-test namespaces (cilium/cilium#35612, @jschwinger233)
* test: FQDN: prevent names from being GCd when restarting (cilium/cilium#35985, @squeed)
* Update basic-https.yaml (cilium/cilium#36207, @sajjadjafaribojd)
* Update USERS.md with Virtuozzo (cilium/cilium#35841, @egoust)
* Update values file to include flag iptablesRandomFully (cilium/cilium#35484, @rbankston)
* watcher: Avoid using global default slog (cilium/cilium#35702, @sayboras)
* workflow fix: extra space remove to make linter happy (cilium/cilium#35889, @viktor-kurchenko)

**Other Changes:**
* envoy: Start listening on xDS socket only after endpoint restoration (cilium/cilium#36032, @jrajahalme)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0-pre.3@sha256:a85a0ebd4155217cbd4083cac4c79a31180b43dad1ba3be807107b31c03ba534`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0-pre.3@sha256:ec1aea788396299ed4fdc57611be8422394b2d2af89eb89f9ad3807c94dfeeca`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0-pre.3@sha256:02e48d83037ac7da8f3fd7b8d5be2de8c085f387611080d58911774d6d8e11b8`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0-pre.3@sha256:c728161d06a7ff6b709edeb3a82ba8ede683a2968130876d8681b71bbbc8e327`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0-pre.3@sha256:6f6fc68230fc34986be3df26ee7713407463b073474822859e8b1d0d5fb1b0d6`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0-pre.3@sha256:241c82b7d60160ed66849b21f8b4c7ab1ded1777500fa856411c057c47eead14`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0-pre.3@sha256:bcd18e91fbc36808e1f3525cd75a207e24ce3aac9f2fea219255d86d8140b2ef`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0-pre.3@sha256:3f408dba3ab1940765ba4b0ecf37dbc68a7d823051a70a9f20e0dfe78cb52403`

### operator

`quay.io/cilium/operator:v1.17.0-pre.3@sha256:28dea23ee214c870944b7806d6a05e4264a0af4e31f1199262a2384fc87476e7`

Security Advisories
------------------

This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-xg58-75qf-9r67.

Summary of Changes
------------------

**Minor Changes:**
* Added Helm option 'envoy.initialFetchTimeoutSeconds' (default 30 seconds) to override the Envoy default (15 seconds). (Backport PR #35908, Upstream PR #35809, @jrajahalme)
* clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (Backport PR #35543, Upstream PR #35349, @giorio94)
* helm: Lower default `hubble.tls.auto.certValidityDuration` to 365 days (Backport PR #35781, Upstream PR #35630, @chancez)
* helm: New socketLB.tracing flag (Backport PR #35781, Upstream PR #35747, @pchaigno)
* hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #35781, Upstream PR #35632, @chancez)
* netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (Backport PR #35543, Upstream PR #35306, @jrife)

**Bugfixes:**
* Avoid duplicate errors in health status for node-neighbor-link-updater (Backport PR #35468, Upstream PR #35179, @wedaly)
* bgpv1: fix reconciliation of services with shared VIPs (Backport PR #35468, Upstream PR #35333, @rastislavs)
* bgpv2,operator: Fix the race condition in the nodeSelector conflict detection logic (Backport PR #35863, Upstream PR #35690, @YutaroHayakawa)
* bgpv2: set local peering address when specified (Backport PR #35781, Upstream PR #35552, @harsimran-pabla)
* Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (Backport PR #35603, Upstream PR #35150, @jrajahalme)
* Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an `timeout waiting for response` error is encountered. (Backport PR #35781, Upstream PR #35589, @bimmlerd)
* config: Remove superfluous warning on native routing CIDR (Backport PR #35781, Upstream PR #35738, @gandro)
* Fix missing flowlabel hash on SRv6 traffic. (Backport PR #35781, Upstream PR #35498, @akaliwod)
* Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #35543, Upstream PR #35173, @smagnani96)
* Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (Backport PR #35781, Upstream PR #35673, @giorio94)
* Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #35468, Upstream PR #35165, @julianwiedmann)
* Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR #35908, Upstream PR #35694, @julianwiedmann)
* Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (Backport PR #35781, Upstream PR #35599, @squeed)
* Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (Backport PR #35543, Upstream PR #35293, @squeed)
* Fixes a potential deadlock when restarting cilium agent with pods with DNS interception configured (Backport PR #35906, Upstream PR #35890, @squeed)
* Fixes BPF Masquerading exclusion CIDR for IPAM modes "eni", "azure" and "alibabacloud". (cilium/cilium#35611, @pippolo84)
* helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (Backport PR #35319, Upstream PR #35301, @hox)
* helm: fix duplicate configmap key for `bpf-lb-sock-terminate-pod-connections` (Backport PR #35781, Upstream PR #35703, @solidDoWant)
* helm: set automountServiceAccountToken to false for hubble-relay sa (Backport PR #35781, Upstream PR #35674, @ayuspin)
* hubble: fix endpoint cluster name (Backport PR #35781, Upstream PR #35415, @kaworu)
* hubble: Lock exporters while gathering metrics (Backport PR #35908, Upstream PR #35860, @joestringer)
* Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (Backport PR #35781, Upstream PR #35143, @jrajahalme)
* ipam: Validate CiliumNode resource in ENI mode (Backport PR #35792, Upstream PR #35784, @sayboras)
* l7lb: fix registration of flag loadbalancer-l7 (Backport PR #35781, Upstream PR #35623, @mhofstetter)
* Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (Backport PR #35319, Upstream PR #35069, @chancez)
* option: Reduce log level for WG strict mode + IPv6 (Backport PR #35908, Upstream PR #35763, @pchaigno)
* Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (Backport PR #35468, Upstream PR #35381, @jrajahalme)
* treewide: Add wrapper for `netlink` functions that may fail with `ErrDumpInterrupted` (Backport PR #35654, Upstream PR #35614, @gandro)
* wireguard: Fix connectivity issues following node reboots. (Backport PR #35908, Upstream PR #35750, @jrife)

**CI Changes:**
* .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #35468, Upstream PR #35399, @aanm)
* .github: extend timeout for tests-ipsec-upgrade workflow (Backport PR #35781, Upstream PR #35657, @rastislavs)
* .github: remove libncurses5 from integration tests (Backport PR #35468, Upstream PR #35408, @aanm)
* [v1.16] gh: e2e-upgrade: restart LRP backend pod after upgrade (cilium/cilium#35329, @ysksuzuki)
* [v1.16] github: update rhel8 LVH image to rhel8.6 (cilium/cilium#35733, @julianwiedmann)
* Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #35905, Upstream PR #35679, @giorio94)
* ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #35582, Upstream PR #35286, @julianwiedmann)
* ci: datapath-verifier: bump lvh images (Backport PR #35648, Upstream PR #35456, @julianwiedmann)
* gha: Update chmod command (Backport PR #35468, Upstream PR #35400, @sayboras)
* github: Pass the workflow step timeout to go test (Backport PR #35908, Upstream PR #35814, @jrajahalme)
* Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #35319, Upstream PR #35267, @aanm)
* workflows/gateway-api: Cover IPsec with GatewayAPI (Backport PR #35908, Upstream PR #35584, @pchaigno)
* workflows/ingress: Run basic checks (Backport PR #35908, Upstream PR #35683, @pchaigno)
* workflows/ipsec: Cover Ingress (Backport PR #35908, Upstream PR #35476, @pchaigno)
* workflows: Extend IPsec tests to cover egress gateway (Backport PR #35540, Upstream PR #35323, @pchaigno)

**Misc Changes:**
* .github/build-images-base: checkout base branch to get scripts (Backport PR #35319, Upstream PR #35236, @aanm)
* .github: remove retention days for image digests (Backport PR #35468, Upstream PR #35457, @aanm)
* bpf: vxlan helper improvements (Backport PR #35543, Upstream PR #34755, @julianwiedmann)
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35382, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35439, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35573, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35710, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#35438, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.16) (cilium/cilium#35730, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.16) (cilium/cilium#35379, @cilium-renovate[bot])
* chore(deps): update go to v1.22.9 (v1.16) (cilium/cilium#35854, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.16) (cilium/cilium#35491, @cilium-renovate[bot])
* chore(deps): update stable lvh-images (v1.16) (patch) (cilium/cilium#35731, @cilium-renovate[bot])
* cilium, docs: Extend requirements for L7 proxy (Backport PR #35781, Upstream PR #35669, @borkmann)
* cilium: add probe for netkit for more user friendly error when not supported (Backport PR #35781, Upstream PR #35551, @borkmann)
* ctrl-runtime: lower severity of retryable reconcile errors (Backport PR #35592, Upstream PR #35364, @giorio94)
* daemon: Reduce level of socket LB tracing warning (Backport PR #35908, Upstream PR #35798, @pchaigno)
* datapath: move policy map value prefix length to flags (Backport PR #35603, Upstream PR #35534, @jrajahalme)
* dnsproxy: fix error when sessionUDPFactory fails (Backport PR #35543, Upstream PR #33998, @marseel)
* docs/ipsec: Remove KPR limitation (Backport PR #35908, Upstream PR #35743, @pchaigno)
* docs/xfrm: Fix incorrect statement regarding XFRM IN policies (Backport PR #35781, Upstream PR #35626, @pchaigno)
* docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #35319, Upstream PR #35288, @oneumyvakin)
* docs: clean up stale kernel requirements (Backport PR #35582, Upstream PR #35575, @julianwiedmann)
* docs: Fix incorrect link to RFC 4271 for BGP control plane timers. (Backport PR #35781, Upstream PR #35725, @nvibert)
* docs: kpr: update error message regarding SocketLB tracing (Backport PR #35468, Upstream PR #35337, @julianwiedmann)
* docs: tuning: XDP LB also supports tunnel routing (Backport PR #35582, Upstream PR #35574, @julianwiedmann)
* docs: update 1.16 upgrade note for LRP (cilium/cilium#35944, @ysksuzuki)
* docs: update default identity label filters (Backport PR #35468, Upstream PR #35422, @marseel)
* docs: XFRM reference guide for IPsec development (Backport PR #35582, Upstream PR #35322, @pchaigno)
* Envoy simplify listener setup (Backport PR #35764, Upstream PR #35642, @jrajahalme)
* envoy: Configure internal_address_config to avoid warning log (Backport PR #35471, Upstream PR #35090, @sayboras)
* envoy: Limit started serving logging to the typeURL of the stream (Backport PR #35781, Upstream PR #35736, @jrajahalme)
* Fix wrongly spelled config option in error message (Backport PR #35543, Upstream PR #35390, @baurmatt)
* helm: clarify text for serviceNoBackendResponse (Backport PR #35908, Upstream PR #35734, @julianwiedmann)
* hubble: Add 'release' Make target (Backport PR #35781, Upstream PR #35561, @michi-covalent)
* image: Use cilium-builder instead of golang as operator builder image (Backport PR #35781, Upstream PR #35351, @learnitall)
* iptables: always warn about missing xt_socket module (Backport PR #35781, Upstream PR #35591, @julianwiedmann)
* makefile: add target to install Cilium in kvstore mode (Backport PR #35905, Upstream PR #35646, @giorio94)
* proxy: Ensure proxy ports are written on shutdown (Backport PR #35908, Upstream PR #35839, @jrajahalme)
* Silence spurious clustermesh-related warnings (Backport PR #35850, Upstream PR #35867, @giorio94)

**Other Changes:**
* [v1.16] envoy: Add configuration for OverloadManager (cilium/cilium#35787, @sayboras)
* [v1.16] envoy: Bump envoy version from 1.29.x to 1.30.x (cilium/cilium#35563, @sayboras)
* [v1.16] policy/correlation: Fix `PolicyMatch{L3Proto,L4Only}` case (cilium/cilium#35681, @gandro)
* chore(deps): update cilium-envoy dependency (cilium/cilium#35920, @sayboras)
* install: Update image digests for v1.16.3 (cilium/cilium#35361, @cilium-release-bot[bot])
* Policy add deny rule test and benchmark (cilium/cilium#35714, @jrajahalme)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf`
`quay.io/cilium/cilium:stable@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.4@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.4@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e`
`quay.io/cilium/docker-plugin:stable@sha256:0e55f80fa875a1bcce87d87eae9a72b32c9db1fe9741c1f8d1bf308ef4b1193e`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.4@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2`
`quay.io/cilium/hubble-relay:stable@sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.4@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686`
`quay.io/cilium/operator-alibabacloud:stable@sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.4@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be`
`quay.io/cilium/operator-aws:stable@sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.4@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de`
`quay.io/cilium/operator-azure:stable@sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5`
`quay.io/cilium/operator-generic:stable@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5`

### operator

`quay.io/cilium/operator:v1.16.4@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff`
`quay.io/cilium/operator:stable@sha256:c77643984bc17e1a93d83b58fa976d7e72ad1485ce722257594f8596899fdfff`

Summary of Changes
------------------

**Minor Changes:**
* hubble-relay: Return underlying connection errors when connecting to peer manager (Backport PR #35778, Upstream PR #35632, @chancez)

**Bugfixes:**
* config: Remove superfluous warning on native routing CIDR (Backport PR #35778, Upstream PR #35738, @gandro)
* Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (Backport PR #35586, Upstream PR #35173, @smagnani96)
* Fix redirect from L3 device to remote endpoint via overlay network. (Backport PR #35586, Upstream PR #35165, @julianwiedmann)
* Fixed bug which prevented IP surge allocation from working (Backport PR #35419, Upstream PR #34090, @dlapcevic)
* ipam: Validate CiliumNode resource in ENI mode (Backport PR #35793, Upstream PR #35784, @sayboras)
* l7lb: fix registration of flag loadbalancer-l7 (Backport PR #35778, Upstream PR #35623, @mhofstetter)

**CI Changes:**
* .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #35469, Upstream PR #35399, @aanm)
* Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #35909, Upstream PR #35679, @giorio94)
* ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #35586, Upstream PR #35286, @julianwiedmann)
* gha: Correct number of connect retry param in LVH (Backport PR #35778, Upstream PR #32598, @sayboras)
* gha: Update chmod command (Backport PR #35469, Upstream PR #35400, @sayboras)
* Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #35320, Upstream PR #35267, @aanm)

**Misc Changes:**
* .github/build-images-base: checkout base branch to get scripts (Backport PR #35320, Upstream PR #35236, @aanm)
* .github: remove retention days for image digests (Backport PR #35469, Upstream PR #35457, @aanm)
* Accurately manage the teardown sequence of an Endpoint's BPF resources (Backport PR #35786, Upstream PR #32167, @ti-mo)
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35387, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35444, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35576, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35711, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#35442, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#35663, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#35914, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.3 (v1.15) (cilium/cilium#35664, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.15) (cilium/cilium#35443, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.8 docker digest to b274ff1 (v1.15) (cilium/cilium#35383, @cilium-renovate[bot])
* chore(deps): update go to v1.22.9 (v1.15) (cilium/cilium#35846, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.15) (cilium/cilium#35492, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729775735-a37f7d6081718666dab500533cfda5cecb4febf5 (v1.15) (cilium/cilium#35547, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1730450803-0a83534f8c57b4d24405b213ed4b65e4e4987d8d (v1.15) (cilium/cilium#35715, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1730965050-cd22d9ffa21eb4f214bf059bcc5d2f40f0c47882 (v1.15) (cilium/cilium#35836, @cilium-renovate[bot])
* cilium: Small health cleanup improvements (Backport PR #35639, Upstream PR #33700, @borkmann)
* dnsproxy: fix error when sessionUDPFactory fails (Backport PR #35586, Upstream PR #33998, @marseel)
* docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #35320, Upstream PR #35288, @oneumyvakin)
* docs: tuning: XDP LB also supports tunnel routing (Backport PR #35586, Upstream PR #35574, @julianwiedmann)
* Envoy simplify listener setup (Backport PR #35766, Upstream PR #35642, @jrajahalme)
* envoy: Configure internal_address_config to avoid warning log (Backport PR #35472, Upstream PR #35090, @sayboras)
* fqdn: Skip "open ports" check for statically configured ports (Backport PR #35948, Upstream PR #33230, @gandro)
* image: Use cilium-builder instead of golang as operator builder image (Backport PR #35586, Upstream PR #35351, @learnitall)
* ipam: lower loglevel from error to warn if eni link list can't be listed (Backport PR #35469, Upstream PR #32602, @mhofstetter)
* makefile: add target to install Cilium in kvstore mode (Backport PR #35909, Upstream PR #35646, @giorio94)
* Makefile: Refactor hubble-relay target (Backport PR #35320, Upstream PR #29867, @chancez)
* Proxy persist proxy ports (Backport PR #35684, Upstream PR #32973, @jrajahalme)
* proxy: Ensure proxy ports are written on shutdown (Backport PR #35939, Upstream PR #35839, @jrajahalme)

**Other Changes:**
* [v1.15]  tests-e2e-upgrade: No longer use secondary network for test 14 (cilium/cilium#35969, @gandro)
* [v1.15] .github: Fix missing variable escaping in LVH command (cilium/cilium#35893, @gandro)
* [v1.15] envoy: Bump envoy version from 1.29.x to 1.30.x (cilium/cilium#35564, @sayboras)
* install: Update image digests for v1.15.10 (cilium/cilium#35360, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.11@sha256:4444c963c586dd29c9219f4f984b87b7d6f7ee5c0ce650b442111a6ab602b00f`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.11@sha256:62a4aa3467fa94de65cc01bbbac97484edeee14f7510af7e096b51ab79a6ff71`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.11@sha256:3a9c057f13d9447732ac12373286d23acab5024ce39ce9797ce3b05df43a53ff`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.11@sha256:d352d3860707e8d734a0b185ff69e30b3ffd630a7ec06ba6a4402bed64b4456c`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.11@sha256:62d67aafbfdc9faa4af1c7a1cae39ae61cf151da414670d317c7e2d60820b3de`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.11@sha256:88088886ab884441c190211d25cae9056f2f4a26e9dcb857c020324062831ab6`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.11@sha256:b80f4239af8617fa5ea131cedf5c2d3e3375b91916f69e348993a535f7c1fbc3`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.11@sha256:8edf16ce4bc5c02457136cf0e7a58adf396f0880d6192ca0666f116f53f4979d`

### operator

`quay.io/cilium/operator:v1.15.11@sha256:945b54e27f3216e35e30b66d653de0517426e14a4e9200fd10cb73f5852e1b4a`

Summary of Changes
------------------

**CI Changes:**
* .github/conformance-ginkgo: replace deprecated jq flag (Backport PR #35470, Upstream PR #35399, @aanm)
* [v1.14] gha: fix incorrect go version in lint-build-commits workflow (cilium/cilium#35313, @giorio94)
* Additionally test KVStore mode in E2E/IPSec workflows (Backport PR #35913, Upstream PR #35679, @giorio94)
* ci: conformance-kind: re-enable flaky Aggregator test (Backport PR #35588, Upstream PR #35286, @julianwiedmann)
* gha: Correct number of connect retry param in LVH (Backport PR #35777, Upstream PR #32598, @sayboras)
* gha: Update chmod command (Backport PR #35470, Upstream PR #35400, @sayboras)
* Refactor and set a default for GH_RUNNER_EXTRA_POWER (Backport PR #35332, Upstream PR #35267, @aanm)

**Misc Changes:**
* .github/build-images-base: checkout base branch to get scripts (Backport PR #35332, Upstream PR #35236, @aanm)
* .github: remove retention days for image digests (Backport PR #35470, Upstream PR #35457, @aanm)
* Accurately manage the teardown sequence of an Endpoint's BPF resources (Backport PR #35888, Upstream PR #32167, @ti-mo)
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#35447, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#35717, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.14) (cilium/cilium#35445, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.3 (v1.14) (cilium/cilium#35665, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.14) (cilium/cilium#35446, @cilium-renovate[bot])
* chore(deps): update go to v1.22.9 (v1.14) (cilium/cilium#35829, @cilium-renovate[bot])
* chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (v1.14) (cilium/cilium#35754, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729635771-fa4efeff33a344a45e14a4068c61dc438b3d2270 (v1.14) (cilium/cilium#35493, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1729775735-a37f7d6081718666dab500533cfda5cecb4febf5 (v1.14) (cilium/cilium#35548, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1730450803-0a83534f8c57b4d24405b213ed4b65e4e4987d8d (v1.14) (cilium/cilium#35716, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.7-1730965050-cd22d9ffa21eb4f214bf059bcc5d2f40f0c47882 (v1.14) (cilium/cilium#35837, @cilium-renovate[bot])
* cilium: Small health cleanup improvements (Backport PR #35640, Upstream PR #33700, @borkmann)
* contrib/kind: custom kind values (Backport PR #35913, Upstream PR #28155, @mhofstetter)
* dnsproxy: fix error when sessionUDPFactory fails (Backport PR #35588, Upstream PR #33998, @marseel)
* docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (Backport PR #35332, Upstream PR #35288, @oneumyvakin)
* docs: tuning: XDP LB also supports tunnel routing (Backport PR #35588, Upstream PR #35574, @julianwiedmann)
* Envoy simplify listener setup (Backport PR #35769, Upstream PR #35642, @jrajahalme)
* envoy: Configure internal_address_config to avoid warning log (Backport PR #35473, Upstream PR #35090, @sayboras)
* fqdn: Skip "open ports" check for statically configured ports (Backport PR #35886, Upstream PR #33230, @gandro)
* ipam: lower loglevel from error to warn if eni link list can't be listed (Backport PR #35470, Upstream PR #32602, @mhofstetter)
* makefile: add target to install Cilium in kvstore mode (Backport PR #35913, Upstream PR #35646, @giorio94)
* Makefile: Refactor hubble-relay target (Backport PR #35332, Upstream PR #29867, @chancez)
* Proxy persist proxy ports (Backport PR #35686, Upstream PR #32973, @jrajahalme)
* proxy: Ensure proxy ports are written on shutdown (Backport PR #35940, Upstream PR #35839, @jrajahalme)

**Other Changes:**
* [v1.14] envoy: Bump envoy version from 1.29.x to 1.30.x (cilium/cilium#35565, @sayboras)
* chore(deps): update all-dependencies (v1.14) (cilium/cilium#35912, @cilium-renovate[bot])
* install: Update image digests for v1.14.16 (cilium/cilium#35358, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`docker.io/cilium/cilium:v1.14.17@sha256:19952c9cb6ede01233ae5c4cd28e3ed2de266e80fa8b6bf34f878373f2c18de5`
`quay.io/cilium/cilium:v1.14.17@sha256:19952c9cb6ede01233ae5c4cd28e3ed2de266e80fa8b6bf34f878373f2c18de5`

### clustermesh-apiserver

`docker.io/cilium/clustermesh-apiserver:v1.14.17@sha256:097166b9ed8a8f104bdd2193f7b58570ef64d6b455b168ddf65707753b1d8d68`
`quay.io/cilium/clustermesh-apiserver:v1.14.17@sha256:097166b9ed8a8f104bdd2193f7b58570ef64d6b455b168ddf65707753b1d8d68`

### docker-plugin

`docker.io/cilium/docker-plugin:v1.14.17@sha256:6410f968dfc76dd6847e740133e2679f07dd907949ee28de35198be124538bd4`
`quay.io/cilium/docker-plugin:v1.14.17@sha256:6410f968dfc76dd6847e740133e2679f07dd907949ee28de35198be124538bd4`

### hubble-relay

`docker.io/cilium/hubble-relay:v1.14.17@sha256:f4e581e6b51ccf80ba4d642a23a79e823401e6b9073de8590be7ead84a383e95`
`quay.io/cilium/hubble-relay:v1.14.17@sha256:f4e581e6b51ccf80ba4d642a23a79e823401e6b9073de8590be7ead84a383e95`

### kvstoremesh

`docker.io/cilium/kvstoremesh:v1.14.17@sha256:b42821b9c210c1f1a6f0e69f2f54ce84287ffdeb41e077ffcbb83dc4078eb774`
`quay.io/cilium/kvstoremesh:v1.14.17@sha256:b42821b9c210c1f1a6f0e69f2f54ce84287ffdeb41e077ffcbb83dc4078eb774`

### operator-alibabacloud

`docker.io/cilium/operator-alibabacloud:v1.14.17@sha256:d1e03489fb9afdb6b3e8ec42168fd11d84dbe8c90fcf4efda1eafcd3d45181a6`
`quay.io/cilium/operator-alibabacloud:v1.14.17@sha256:d1e03489fb9afdb6b3e8ec42168fd11d84dbe8c90fcf4efda1eafcd3d45181a6`

### operator-aws

`docker.io/cilium/operator-aws:v1.14.17@sha256:78c5815933e2fa4af7848d92589fc91032551912981005e76ea68285bfbb46cb`
`quay.io/cilium/operator-aws:v1.14.17@sha256:78c5815933e2fa4af7848d92589fc91032551912981005e76ea68285bfbb46cb`

### operator-azure

`docker.io/cilium/operator-azure:v1.14.17@sha256:14663398d0213db3b341d0517033a3e0acea797b5c4e913b3dd5b691200f4d68`
`quay.io/cilium/operator-azure:v1.14.17@sha256:14663398d0213db3b341d0517033a3e0acea797b5c4e913b3dd5b691200f4d68`

### operator-generic

`docker.io/cilium/operator-generic:v1.14.17@sha256:79541e670c0cdb735129496355d08f9035ec28f276b9f826698b7a61a9116ae5`
`quay.io/cilium/operator-generic:v1.14.17@sha256:79541e670c0cdb735129496355d08f9035ec28f276b9f826698b7a61a9116ae5`

### operator

`docker.io/cilium/operator:v1.14.17@sha256:09be92cea0520f754e1857392a07f78075222203cf118a08b7321a17031688f9`
`quay.io/cilium/operator:v1.14.17@sha256:09be92cea0520f754e1857392a07f78075222203cf118a08b7321a17031688f9`

Summary of Changes
------------------

**Major Changes:**
* clustermesh: add Multi-cluster Service API support (cilium/cilium#34439, @MrFreezeex)

**Minor Changes:**
* Add a --kubeconfig argument to CLI (cilium/cilium#34573, @ldlb9527)
* Add support for automatic port-forwarding in Hubble CLI Replace kubectl-based port-forwarding with native implementation in Cilium CLI (cilium/cilium#35483, @devodev)
* Adds `cilium_hive_degraded_status` metric to count degraded health status levels of Hive components labeled by modules. ``` (cilium/cilium#34824, @ovidiutirla)
* bpf,tests: Add TCP and UDP checksum validation (cilium/cilium#34408, @viktor-kurchenko)
* CIDRGroup Except blocks now produce fewer PolicyMap entries, improving scalability. (cilium/cilium#35139, @squeed)
* cilium-cli status: fail fast on terminal error (cilium/cilium#35048, @nimishamehta5)
* cilium: fix integer overflow in netkit probe on 32bit platform (cilium/cilium#35659, @devodev)
* clustermesh: add guardrails for known broken ENI/aws-chaining + cluster ID combination (cilium/cilium#35349, @giorio94)
* daemon: rename --bpf-conntrack-accounting-enabled flag to --bpf-conntrack-accounting (cilium/cilium#35142, @jibi)
* envoy: Bump envoy image to latest build (cilium/cilium#35538, @sayboras)
* feat(clustermesh): Deploy in parallel the connections (cilium/cilium#35021, @littlejo)
* feat(envoy): json logging support (cilium/cilium#34323, @byxorna)
* Fixes slow policy import times when many network policies reference the same CIDR. (cilium/cilium#35511, @squeed)
* gateway-api: Support latest release v1.2.0 (cilium/cilium#35216, @sayboras)
* helm: Add configuration option for endpoint source IP verification (cilium/cilium#34056, @CiraciNicolo)
* helm: Lower default `hubble.tls.auto.certValidityDuration` to 365 days (cilium/cilium#35630, @chancez)
* hubble-relay: Return underlying connection errors when connecting to peer manager (cilium/cilium#35632, @chancez)
* In case of an IPsec key rotation, error if the user forgot to increment the SPI per the documentation. (cilium/cilium#34037, @smagnani96)
* ipam: lower the severity of failed cilium node update if retry is going to be performed immediately (cilium/cilium#35479, @marseel)
* ipam: Support for static IP allocation in AWS (cilium/cilium#34622, @antonipp)
* k8s: support for loadbalancer svc ip mode (cilium/cilium#34780, @dakehero)
* Miscellaneous improvements to the sysdump collection (cilium/cilium#35610, @giorio94)
* policy: add namespace index to the policy repository so we can skip trying to match namespace-specific rules for the non-matching namespaces. (cilium/cilium#34802, @marseel)
* policy: make ToServices selectors work for in-cluster services too (cilium/cilium#34208, @chaunceyjiang)
* Remove deprecated annotations-based L7 visibility (cilium/cilium#35019, @tklauser)
* ServiceMonitor: Only create `envoy-metrics` block if Envoy is enabled (cilium/cilium#34673, @ToroNZ)
* Strictly validate the cluster name format (cilium/cilium#32819, @giorio94)
* wireguard: remove deprecated userspace fallback (cilium/cilium#35158, @julianwiedmann)

**Bugfixes:**
* Avoid duplicate errors in health status for node-neighbor-link-updater (cilium/cilium#35179, @wedaly)
* bgpv1: fix reconciliation of services with shared VIPs (cilium/cilium#35333, @rastislavs)
* bgpv2: fix reconciliation of services with shared VIPs (cilium/cilium#35166, @rastislavs)
* bgpv2: set local peering address when specified (cilium/cilium#35552, @harsimran-pabla)
* bugfix: fixed extravolumes mount in cilium-preflight (cilium/cilium#35386, @tokarev-artem)
* bugtool: fix cilium-health command (cilium/cilium#35068, @ayuspin)
* Cilium datapath now gives precedence for the more specific allow rule with L7 rules when rules with port ranges are present. (cilium/cilium#35150, @jrajahalme)
* Cilium no longer fails compiling bpf programs if listing network links is interrupted. (cilium/cilium#35259, @jrajahalme)
* Cilium's DNS proxy no longer gets stuck for a specific five-tuple if an `timeout waiting for response` error is encountered. (cilium/cilium#35589, @bimmlerd)
* cilium-dbg: fix status commands for cluster connectivity health (cilium/cilium#33972, @darox)
* Datasource error fixed for Cilium Operator dashboard (cilium/cilium#35420, @VergeDX)
* Fix an issue where pod-to-world traffic goes up stack when BPF host routing is enabled with tunnel. (cilium/cilium#35098, @jschwinger233)
* Fix incorrect deletion of revNAT entries due to service ID conflict (cilium/cilium#34552, @haozhangami)
* Fix missing flowlabel hash on SRv6 traffic. (cilium/cilium#35498, @akaliwod)
* Fix packet drops for pod-to-pod connections that pass through ingress & egress proxy when using IPsec, caused by MTU misconfiguration. (cilium/cilium#35173, @smagnani96)
* Fix possible disruption of long running pod to node traffic on agent restart in kvstore mode (cilium/cilium#35673, @giorio94)
* Fix redirect from L3 device to remote endpoint via overlay network. (cilium/cilium#35165, @julianwiedmann)
* Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (cilium/cilium#35109, @jrajahalme)
* Fixed Cilium CLI fatal error: concurrent map read and map write (cilium/cilium#35311, @chaunceyjiang)
* Fixes a bug where the operator incorrectly flagged CiliumNetworkPolicies containing ICMP rules as invalid. (cilium/cilium#35599, @squeed)
* Fixes a performance regression when ingesting network policies in clusters with large numbers of Services. (cilium/cilium#35293, @squeed)
* gateway-api: Add service observable event handler (cilium/cilium#33352, @sayboras)
* gha: Remove hostLegacyRouting in clustermesh (cilium/cilium#35418, @sayboras)
* helm template function no longer errors when using k8sServiceHost: auto (cilium/cilium#35186, @kreeuwijk)
* helm: Fix configmap unmarshal error on egressGateway.maxPolicyEntries (cilium/cilium#35301, @hox)
* hubble: add printer for lost events (cilium/cilium#35208, @aanm)
* hubble: fix endpoint cluster name (cilium/cilium#35415, @kaworu)
* Ingress endpoint is now included in the lxcmap so that ARP and ND6 work for them. (cilium/cilium#35143, @jrajahalme)
* l7lb: fix registration of flag loadbalancer-l7 (cilium/cilium#35623, @mhofstetter)
* Log errors when reloading hubble exporter configuration dynamically and do not attempt to close os.Stdout (cilium/cilium#35069, @chancez)
* Make LB-IPAM allow IP sharing between services with the same ports but different protocols (cilium/cilium#34691, @ldlb9527)
* netkit: Allow ARP packets through when using host firewall. (cilium/cilium#35070, @jrife)
* netkit: Fix issue where traffic originating from the host namespace fails to reach the pod when using endpoint routes and network policies. (cilium/cilium#35306, @jrife)
* Policy properly propagates proxy listener name and priority from a L3 wildcard rule with policies requiring authentication. (cilium/cilium#35381, @jrajahalme)
* treewide: Add wrapper for `netlink` functions that may fail with `ErrDumpInterrupted` (cilium/cilium#35614, @gandro)

**CI Changes:**
* .github/conformance-ginkgo: replace deprecated jq flag (cilium/cilium#35399, @aanm)
* .github/lint-build-commits: fix workflow for push events (cilium/cilium#35264, @aanm)
* .github: do not push floating tag from PRs (cilium/cilium#35227, @aanm)
* .github: extend timeout for tests-ipsec-upgrade workflow (cilium/cilium#35657, @rastislavs)
* .github: remove libncurses5 from integration tests (cilium/cilium#35408, @aanm)
* Add concurrency to e2e-upgrade tests (cilium/cilium#34806, @aanm)
* Add concurrency to test-ipsec-upgrade (cilium/cilium#35362, @aanm)
* Ariane: skip E2E tests when changing unit tests only (cilium/cilium#35334, @giorio94)
* bpf: complexity-tests: add HAVE_SET_RETVAL and HAVE_NETNS_COOKIE for bpf_sock tests (cilium/cilium#35291, @julianwiedmann)
* CI: Add channel arguments to GKE related workflows (cilium/cilium#35522, @brlbil)
* CI: Add list and filter artifacts steps (cilium/cilium#35172, @brlbil)
* CI: Add merge and upload composite action (cilium/cilium#35355, @brlbil)
* ci: conformance-kind: don't explicitly enable session affinity (cilium/cilium#35290, @julianwiedmann)
* ci: conformance-kind: re-enable flaky Aggregator test (cilium/cilium#35286, @julianwiedmann)
* ci: datapath-verifier: bump lvh images (cilium/cilium#35456, @julianwiedmann)
* ci: Introduce CILIUM_INSTALL_NET_PERF_EXTRA_ARGS env var (cilium/cilium#35178, @markpash)
* ci: netperf always run hubble (cilium/cilium#35268, @marseel)
* CI: remove unsed env variable (cilium/cilium#35149, @brlbil)
* ci: run privileged tests in parallel except for IPSec (cilium/cilium#35232, @marseel)
* ci: switch most remaining workflows to new IPsec key system (cilium/cilium#35295, @julianwiedmann)
* cilium-cli: Ignore "No egress gateway found" drops (cilium/cilium#35609, @pchaigno)
* cli/connectivity: Test strict mode encryption (cilium/cilium#35231, @jschwinger233)
* Fix bug in testsuite where a list of Pods was initialized with several empty elements rather than allocating the buffer with space for enough elements. (cilium/cilium#35164, @rusttech)
* Fix bug preventing the ability to build images with non-stripped binaries (cilium/cilium#35326, @learnitall)
* gha: Update chmod command (cilium/cilium#35400, @sayboras)
* gha: Update logic to extract gateway-api version (cilium/cilium#35189, @sayboras)
* policy/ci: Add Complex Allow Test to Policy Engine (cilium/cilium#35156, @nathanjsweet)
* Refactor and set a default for GH_RUNNER_EXTRA_POWER (cilium/cilium#35267, @aanm)
* renovate: manually bump version (cilium/cilium#35660, @julianwiedmann)
* servicemesh, ci: run internal to NodePort test (cilium/cilium#35177, @marseel)
* workflows/gateway-api: Cover IPsec with GatewayAPI (cilium/cilium#35584, @pchaigno)
* workflows/ipsec: Cover Ingress (cilium/cilium#35476, @pchaigno)
* workflows: Extend IPsec tests to cover egress gateway (cilium/cilium#35323, @pchaigno)

**Misc Changes:**
* .github/build-images-base: checkout base branch to get scripts (cilium/cilium#35236, @aanm)
* .github: clean up disk for lint-build workflow (cilium/cilium#35141, @aanm)
* .github: do not update github runners for bpf workflows (cilium/cilium#35131, @aanm)
* .github: fix build image process to commit changes (cilium/cilium#35262, @aanm)
* .github: increase concurrent jobs in tests-e2e-upgrade (cilium/cilium#35225, @aanm)
* .github: remove retention days for image digests (cilium/cilium#35457, @aanm)
* Add BMC to USERS.md (cilium/cilium#35356, @ryebridge)
* add checks to ipv6_hdrlen return value usage during wireguard tracing in ingress path (cilium/cilium#35345, @smagnani96)
* Add default prioriyClass system-node-critical to spire components (cilium/cilium#35269, @Tilusch)
* Add documentation for clustermesh MCS-API support (cilium/cilium#35114, @MrFreezeex)
* Add Koyeb to users.md (cilium/cilium#35481, @alisdairbr)
* Add logic to detect and trace WireGuard encrypted ingress/egress packets. (cilium/cilium#35183, @smagnani96)
* Add Scigility AG to USERS.md (cilium/cilium#34970, @ciil)
* Adding Ecco Data and Ai to Cilium users (cilium/cilium#35643, @Andre-Lx-Costa)
* Allow to group cells lifecycle and control the enablement leveraging the dynamic-config. (cilium/cilium#34936, @ovidiutirla)
* api: Convert logrus to slog (cilium/cilium#35340, @sayboras)
* auth: Convert logrus to slog (cilium/cilium#35461, @sayboras)
* auth: fix confusing comment about mutual auth handler (cilium/cilium#35649, @mhofstetter)
* bgpv2,doc: Update troubleshooting doc with CiliumBGPClusterConfig status conditions (cilium/cilium#35601, @YutaroHayakawa)
* bgpv2-docs: updating troubleshooting and operations guide (cilium/cilium#35431, @harsimran-pabla)
* bgpv2: Cleanup BGPInstance reconciler metadata (cilium/cilium#34426, @rastislavs)
* bgpv2: defining reconciler names and priorities constants (cilium/cilium#35181, @harsimran-pabla)
* bgpv2: Introduce MissingAuthSecret condition to PeerConfig (cilium/cilium#35650, @YutaroHayakawa)
* bgpv2: Introduce MissingPeerConfig condition to the ClusterConfig (cilium/cilium#35527, @YutaroHayakawa)
* bgpv2: Introduce NoMatchingNode condition to CiliumBGPClusterConfig (cilium/cilium#35517, @YutaroHayakawa)
* bgpv2: Use instance name instead of ASN in Diff ID (cilium/cilium#35207, @rastislavs)
* bpf: aligncheck the `node_value` struct (cilium/cilium#35309, @julianwiedmann)
* bpf: clean up FORCE_LOCAL_POLICY_EVAL_AT_SOURCE macro (cilium/cilium#35500, @julianwiedmann)
* bpf: lxc: don't clear CB_POLICY prior to local delivery (cilium/cilium#35175, @julianwiedmann)
* bpf: lxc: handle encap_and_redirect_lxc() result with switch statement (cilium/cilium#35691, @julianwiedmann)
* bpf: lxc: streamline ingress network policy path (cilium/cilium#35120, @julianwiedmann)
* bpf: nat: support additional code points for IPv4 ICMP_DEST_UNREACH (cilium/cilium#35636, @julianwiedmann)
* bpf: nodeport: split off the egress-specific parts (cilium/cilium#35474, @julianwiedmann)
* bpf: remove CB_POLICY logic (cilium/cilium#35239, @julianwiedmann)
* bpf: slim down EGW-related CT lookup in to-netdev (cilium/cilium#35463, @julianwiedmann)
* Bump readme for releases v1.16.3, v1.15.10, v1.14.16 (cilium/cilium#35412, @thorn3r)
* cec: Switch to slog for CEC (cilium/cilium#35253, @sayboras)
* chore(deps): update all github action dependencies (main) (cilium/cilium#35246, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#35378, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#35437, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#35571, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35221, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35287, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35376, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35490, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#35524, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.19 (main) (cilium/cilium#35198, @cilium-renovate[bot])
* chore(deps): update dependency renovatebot/renovate to v38.128.6 (main) (cilium/cilium#35448, @cilium-renovate[bot])
* chore(deps): update dependency renovatebot/renovate to v38.132.2 (main) (cilium/cilium#35572, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.2 docker digest to a7f2fc9 (main) (cilium/cilium#35373, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.2 docker digest to ad5c126 (main) (cilium/cilium#35568, @cilium-renovate[bot])
* chore(deps): update go to v1.23.2 (main) (cilium/cilium#35199, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.30.6-1727741038-3056acb56ecfedf13398e5072c8f73320fe5e06f (main) (cilium/cilium#35136, @cilium-renovate[bot])
* ci: fix build-images-base to not die in forks (cilium/cilium#34950, @jsoref)
* cilium, docs: Extend requirements for L7 proxy (cilium/cilium#35669, @borkmann)
* cilium-cli: account for opt out labels in node to node encryption tests (cilium/cilium#35585, @giorio94)
* cilium-cli: connectivity test: support every kind of resource for tests (cilium/cilium#35314, @squeed)
* cilium-cli: Show config.cilium.io annotations on configmap (cilium/cilium#35020, @joamaki)
* cilium-dbg: Add "bpf ipcache delete/update" (cilium/cilium#35454, @jschwinger233)
* cilium: add probe for netkit for more user friendly error when not supported (cilium/cilium#35551, @borkmann)
* cilium: follow-ups on annotation mode (cilium/cilium#35224, @borkmann)
* cilium: support service source ranges also for other types (cilium/cilium#35512, @borkmann)
* clustermesh: add a readme explaining MCS-API implementation (cilium/cilium#35339, @MrFreezeex)
* clustermesh: fix flaky TestRemoteClusterStatus integration test (cilium/cilium#35122, @giorio94)
* clustermesh: refactor MCS-API derived service controller (cilium/cilium#35039, @MrFreezeex)
* CODEOWNERS: let cilium/ipsec cover .github/actions/ipsec (cilium/cilium#35578, @julianwiedmann)
* CODEOWNERS: pull in sig-policy for bpf/lib/policy.h (cilium/cilium#35258, @julianwiedmann)
* connectivity: Introdue Multicast connectivity test (cilium/cilium#34530, @yushoyamaguchi)
* container/set: fix bug in `Set[T].Equal`, increase test coverage (cilium/cilium#35315, @tklauser)
* Control whether the anti-affinity rule is applied to cilium daemonset pods. Omitting the rule improves scheduling throughput for large clusters. (cilium/cilium#35014, @sypakine)
* ctrl-runtime: lower severity of retryable reconcile errors (cilium/cilium#35364, @giorio94)
* daemon: ensure tunnel map absence when running in native routing mode (cilium/cilium#35544, @giorio94)
* daemon: kpr: group all SocketLB related checks together (cilium/cilium#35450, @julianwiedmann)
* datapath: move policy map value prefix length to flags (cilium/cilium#35534, @jrajahalme)
* datapath: require TCP EDT support and writeable skb queue_mapping (cilium/cilium#34491, @julianwiedmann)
* dbg: envoy: Introduce possibility to change Envoy log level (cilium/cilium#35509, @mhofstetter)
* dbg: increase limit when safely reading envoy metrics via cilium-dbg (cilium/cilium#35528, @mhofstetter)
* doc: Fixed Gateway API vs. Ingress naming mistake (cilium/cilium#35499, @PhilipSchmid)
* docs: Add known issue for netkit endpoint route issues (cilium/cilium#35126, @jrife)
* docs: Add parameter to generate SSH keys for AKS "getting started" steps. (cilium/cilium#35270, @pedroignacio13)
* docs: Change invalid Helm option --agent.enabled with --agent=false in upgrade documentation (cilium/cilium#35288, @oneumyvakin)
* docs: clean up stale kernel requirements (cilium/cilium#35575, @julianwiedmann)
* docs: Fix markdown in pkg/loadbalancer/experimental/README.md (cilium/cilium#35065, @DamianSawicki)
* docs: improve KPR documentation (cilium/cilium#35147, @julianwiedmann)
* docs: kpr: update error message regarding SocketLB tracing (cilium/cilium#35337, @julianwiedmann)
* Docs: make ToServices selectors work for in-cluster services too (cilium/cilium#35506, @chaunceyjiang)
* docs: network policy: remove SCTP from `missing features` list (cilium/cilium#35238, @julianwiedmann)
* docs: Trivial improvements to contributor guide (cilium/cilium#35307, @pmatulis)
* docs: tuning: XDP LB also supports tunnel routing (cilium/cilium#35574, @julianwiedmann)
* docs: update bisect instructions (cilium/cilium#35194, @aanm)
* docs: update default identity label filters (cilium/cilium#35422, @marseel)
* docs: Updated contributing_guide documentation files (cilium/cilium#35061, @AdityaK60)
* docs: XFRM reference guide for IPsec development (cilium/cilium#35322, @pchaigno)
* Documentation/bgp: Add note about operator logs into BGP operation guide (cilium/cilium#35580, @rastislavs)
* Enable testifylint to lint test files, and mechanically fix reported issues (cilium/cilium#35237, @giorio94)
* Endpoint redirect cleanup (cilium/cilium#35350, @jrajahalme)
* endpoint/policy: Keep internals separate (cilium/cilium#35372, @jrajahalme)
* endpoint: remove deprecated and unused (*Endpoint).HasBPFPolicyMap (cilium/cilium#35146, @tklauser)
* Envoy simplify listener setup (cilium/cilium#35642, @jrajahalme)
* envoy: avoid syncing empty Envoy secret (cilium/cilium#35521, @mhofstetter)
* envoy: Configure internal_address_config to avoid warning log (cilium/cilium#35090, @sayboras)
* Fix a potential issue where VXLAN-in-ESP policies are installed erroneously when EGW is enabled. (cilium/cilium#35549, @ldelossa)
* Fix Cilium developer community Zoom meeting link (cilium/cilium#35516, @ptrivedi)
* Fix wrongly spelled config option in error message (cilium/cilium#35390, @baurmatt)
* fix(deps): update all go dependencies main (main) (cilium/cilium#35244, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#35441, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#35467, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#35245, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#35375, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#35435, @cilium-renovate[bot])
* fix(deps): update kubernetes packages to v0.31.2 (main) (cilium/cilium#35570, @cilium-renovate[bot])
* fix(deps): update opentelemetry-go monorepo to v1.31.0 (main) (cilium/cilium#35377, @cilium-renovate[bot])
* fix: hubble exporter filter test with clashing filters (cilium/cilium#35058, @rectified95)
* fix: Temporarily disable test TestDeleteUsedCIDIsRecreated (cilium/cilium#35159, @dlapcevic)
* Fixed Cilium CLI fatal error: concurrent map read and map write (cilium/cilium#35396, @chaunceyjiang)
* github: action: allow to specify lvh port-forward list (cilium/cilium#35458, @jibi)
* helm: Add certgen.generateCA value (cilium/cilium#35602, @sderoe)
* Helm: add LoadBalancer option as comment for Hubble relay service type (cilium/cilium#34957, @darox)
* helm: Add priorityClass & nodeSelector to certgen jobs (cilium/cilium#35429, @adberger)
* Hive scripts and the cilium shell (cilium/cilium#35154, @joamaki)
* hubble: Add 'release' Make target (cilium/cilium#35561, @michi-covalent)
* hubble: Combine hubble and hubble-bin make targets (cilium/cilium#35256, @michi-covalent)
* hubble: fix drop notify test (cilium/cilium#35196, @rolinh)
* hubble: remove outdated //go:build go1.18 tag (cilium/cilium#35174, @tklauser)
* hubble: Use hubble-bin target to generate release binaries (cilium/cilium#35127, @michi-covalent)
* identity: Allow registration of additional identity handlers (cilium/cilium#35523, @gandro)
* image: Use cilium-builder instead of golang as operator builder image (cilium/cilium#35351, @learnitall)
* Improve compatibility with LLVM 18. (cilium/cilium#34593, @gentoo-root)
* Improve compatibility with LLVM 18. (cilium/cilium#35590, @gentoo-root)
* Improve the performance of endpoints correlation in service cache (cilium/cilium#35604, @giorio94)
* install/kubernetes: fix Operator's clusterrole for pods deletion (cilium/cilium#35193, @aanm)
* Introduce an option to control if NodeIPAM or LBIPAM should be the the default Service LoadBalancer (cilium/cilium#35074, @MrFreezeex)
* ipsec: Refactor `IPSecDir` (cilium/cilium#35346, @pchaigno)
* iptables: always warn about missing xt_socket module (cilium/cilium#35591, @julianwiedmann)
* Log entries printed from config subsys during startup now honor logging config such as LogDriver, LogOpt or Debug. (cilium/cilium#34620, @jingyuanliang)
* logging: consistent error attribute when emitted through logr (cilium/cilium#35397, @giorio94)
* MAINTAINERS: Add Dorde (cilium/cilium#35357, @pchaigno)
* MAINTAINERS: New emeritus committers (cilium/cilium#35359, @pchaigno)
* MAINTAINERS: Update affiliations (cilium/cilium#35352, @pchaigno)
* Make triggers less garbage intensive (cilium/cilium#35541, @bimmlerd)
* make: add hubble cli to kind-image-fast-agent (cilium/cilium#35344, @kaworu)
* maps/nat/stats: check the snat tuple direction as a bitmask. (cilium/cilium#34504, @tommyp1ckles)
* minor pkg/ip fixes (cilium/cilium#35130, @bimmlerd)
* Minor updates in configuration and community docs (cilium/cilium#35132, @AdityaK60)
* node: remove unused GetHostMasqueradeIPv*() helpers (cilium/cilium#35519, @julianwiedmann)
* operator-id-management: agent waits for global identities (cilium/cilium#34867, @dlapcevic)
* operator/watchers: skip expensive debug log operations when disabled (cilium/cilium#35605, @giorio94)
* operator: Convert logrus to slog (cilium/cilium#35567, @sayboras)
* operator: fix Test_performCiliumNodeGC (cilium/cilium#35317, @giorio94)
* pkg/ciliumidentity: Fix DeleteUsedCIDIsRecreated test (cilium/cilium#35466, @ovidiutirla)
* Policy mapstate cleanups (cilium/cilium#35233, @jrajahalme)
* Policy mapstate cleanups redux (cilium/cilium#35305, @jrajahalme)
* policy: Add config for enabling Cilium Clusterwide Network Policy (cilium/cilium#35405, @dlapcevic)
* policy: Add config for enabling Cilium NetworkPolicy (cilium/cilium#35049, @dlapcevic)
* policy: Add IDManager interface (cilium/cilium#35112, @dlapcevic)
* policy: Add PolicyRepository interface (cilium/cilium#35067, @dlapcevic)
* policy: Add ResourcesWatcher interface to policy directory (cilium/cilium#35110, @dlapcevic)
* policy: Do not record a change if nothing was done (cilium/cilium#35111, @jrajahalme)
* policy: Reduce allocs when keeping track of owners (cilium/cilium#34692, @jrajahalme)
* policy: remove unused addL4Filter ruleLabels parameter (cilium/cilium#35398, @tklauser)
* policy: Simplify L4PolicyMap Structure (cilium/cilium#35321, @nathanjsweet)
* policy: Wait on sync.WaitGroup only after adding to it (cilium/cilium#35195, @jrajahalme)
* Prepare for release v1.17.0-pre.1 (cilium/cilium#35134, @cilium-release-bot[bot])
* README.rst: Add "Powered-by-eBPF" and CNCF logos to README, link to ebpf.io and cncf.io (cilium/cilium#35192, @sknrao)
* README: Update badge for GAPI v1.1.0 (cilium/cilium#35217, @joestringer)
* README: Update releases (cilium/cilium#35140, @aanm)
* Refactor Hubble as a cell (cilium/cilium#35206, @kaworu)
* Refactor XFRM policy and state creation (cilium/cilium#35210, @ldelossa)
* refactor: Use error definition in github.com/cilium/ebpf instead of using hard-corded error message (cilium/cilium#35389, @yushoyamaguchi)
* Refactored the endpoint and policy packages to separate test-specific code from production code. (cilium/cilium#35384, @roykharman)
* Reimplement experimental load-balancing tests in scripttest (cilium/cilium#35480, @joamaki)
* Remove deprecated call to DialContext in Hubble (cilium/cilium#34241, @davchos)
* renovate: Skip auto-upgrade for deepequal-gen (cilium/cilium#35453, @sayboras)
* renovate: temporarily do not update GoBGP dependency (cilium/cilium#35272, @rastislavs)
* renovate: Update allowed cilium-envoy version for stable branches (cilium/cilium#35566, @sayboras)
* Replace `inctimer` package with `time.After` (cilium/cilium#35653, @tklauser)
* Revert "Fixed Cilium CLI fatal error: concurrent map read and map write" (cilium/cilium#35391, @pchaigno)
* Rework error handling logic in neighbor discovery (cilium/cilium#35144, @pippolo84)
* servicemesh: add make target for local testing (cilium/cilium#35169, @marseel)
* StateDB in Cilium guide (cilium/cilium#34686, @joamaki)
* Strip quotes from modifier arg in all Dockerfiles (cilium/cilium#35427, @hemanthmalla)
* test(notify): add tests to compare flow proto parsed from notify events (cilium/cilium#35059, @sypakine)
* versioned: Never clean up current version (cilium/cilium#35190, @jrajahalme)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0-pre.2@sha256:9027c22b27e600e56eef6b35771629e9d14a7e9075170f516845d30b5776943d`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0-pre.2@sha256:6771668172fccc9b0e76e12b61552bb2e8bd03a7954224cf3add983ca90e511d`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0-pre.2@sha256:42f06a4047d35e5a051a29fe807f8348be608aa3f5775605f502177b803d51a1`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0-pre.2@sha256:f37cf93adc02d60143132272169ff6e528b9271d1c46830d802271c22606720f`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0-pre.2@sha256:5b0b8fb95315abc81fd58d1d891dc6818a0deacdf32451ecd5550ab5775ce096`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0-pre.2@sha256:f26f0ff726bdab83ad97c0c53625fbd648e5d48a1c5dcba814a67c08bd33bfe3`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0-pre.2@sha256:99e63566ea440d2b8f034088aff448c6b540e2e11a131fbe67c8106880e6511a`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0-pre.2@sha256:2262d42f99acce0aefac822e0317f4d74668a5e76d54f736f19b75f6081184cb`

### operator

`quay.io/cilium/operator:v1.17.0-pre.2@sha256:c942451db47217ace6b9e134734a0f148c3b0d474e9cc08a1fbe44d7b7d75be9`

Summary of Changes
------------------

**Bugfixes:**
* bgpv2: fix reconciliation of services with shared VIPs (Backport PR #35274, Upstream PR #35166, @rastislavs)
* bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (Backport PR #35036, Upstream PR #34976, @rastislavs)
* bpf: nat: recreate a NAT entry if the packet hits the stale entry (Backport PR #35036, Upstream PR #34913, @ysksuzuki)
* bugtool: fix cilium-health command (Backport PR #35274, Upstream PR #35068, @ayuspin)
* Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (Backport PR #35036, Upstream PR #34941, @bimmlerd)
* Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #35036, Upstream PR #34789, @tommyp1ckles)
* Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (Backport PR #34918, Upstream PR #34651, @smagnani96)
* Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #35036, Upstream PR #34783, @dylandreimerink)
* Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #35274, Upstream PR #35109, @jrajahalme)
* Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #35274, Upstream PR #35033, @WeeNews)
* Fixes startup fatal error when updating CiliumNode resource. (Backport PR #34918, Upstream PR #34862, @harsimran-pabla)
* gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #35274, Upstream PR #34808, @cfsnyder)
* helm template function no longer errors when using k8sServiceHost: auto (Backport PR #35274, Upstream PR #35186, @kreeuwijk)
* hubble: add printer for lost events (Backport PR #35274, Upstream PR #35208, @aanm)
* ipcache: Yet another refcounting fix with mix of APIs (Backport PR #35036, Upstream PR #34715, @gandro)
* netkit: Allow ARP packets through when using host firewall. (Backport PR #35274, Upstream PR #35070, @jrife)
* wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (Backport PR #35115, Upstream PR #34612, @jrife)

**CI Changes:**
* .github/lint-build-commits: fix workflow for push events (Backport PR #35274, Upstream PR #35264, @aanm)
* .github: create cache directories on cache miss (Backport PR #35157, Upstream PR #35088, @aanm)
* .github: do not push floating tag from PRs (Backport PR #35230, Upstream PR #35227, @aanm)
* .github: install golang action after checkout (Backport PR #35157, Upstream PR #34843, @aanm)
* .github: re-enable configurations in e2e-upgrade (Backport PR #35157, Upstream PR #34800, @aanm)
* .github: specify cache-dependency-path in lint-workflows (Backport PR #35157, Upstream PR #34845, @aanm)
* [1.16] test: Skip envoy internal_address_config warning log (cilium/cilium#35053, @pippolo84)
* [v1.16] gha: fix incorrect go version in lint-build-commits workflow (cilium/cilium#35312, @giorio94)
* ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #34918, Upstream PR #34820, @aanm)
* fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #34918, Upstream PR #34902, @Artyop)
* servicemesh, ci: run internal to NodePort test (Backport PR #35274, Upstream PR #35177, @marseel)

**Misc Changes:**
* .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #35157, Upstream PR #34847, @aanm)
* .github: clean up disk for lint-build workflow (Backport PR #35157, Upstream PR #35141, @aanm)
* .github: fix build image process to commit changes (Backport PR #35274, Upstream PR #35262, @aanm)
* .github: fix lvh-kind warnings (Backport PR #35157, Upstream PR #34811, @aanm)
* .github: fix runtime image digests (Backport PR #35274, Upstream PR #35107, @aanm)
* .github: push floating tag for push events for stable branches (cilium/cilium#35235, @aanm)
* [v1.16] .github: do not update github runners for bpf workflows (cilium/cilium#35106, @aanm)
* [v1.16] manually update dependency cilium/cilium-cli to v0.16.19 (v1.16) (cilium/cilium#35310, @julianwiedmann)
* bgpv2/docs: add ebgp multihop documentation (Backport PR #35036, Upstream PR #34951, @harsimran-pabla)
* bgpv2: cleanup service reconciliation logic (Backport PR #35036, Upstream PR #34959, @rastislavs)
* Change GH runners to GH's default (Backport PR #35157, Upstream PR #33451, @aanm)
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35025, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35082, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#35250, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#35005, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#35283, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.16) (cilium/cilium#34999, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.16) (cilium/cilium#35101, @cilium-renovate[bot])
* chore(deps): update go to v1.22.8 (v1.16) (cilium/cilium#35201, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.16) (cilium/cilium#35137, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.16) (cilium/cilium#35218, @cilium-renovate[bot])
* cilium-cli: Show config.cilium.io annotations on configmap (Backport PR #35155, Upstream PR #35020, @joamaki)
* docs: Add known issue for netkit endpoint route issues (Backport PR #35274, Upstream PR #35126, @jrife)
* docs: fix EKS Kubernetes compatibility link (Backport PR #35036, Upstream PR #34922, @fjvela)
* docs: Improve warning on insecure global IPsec keys (Backport PR #34918, Upstream PR #34846, @pchaigno)
* docs: move sig-policy to second Tuesday of the month (Backport PR #35115, Upstream PR #35040, @squeed)
* fix: Assign PodStore from Pod resource until cell migration is completed (Backport PR #35274, Upstream PR #34090, @dlapcevic)
* helm: add client auth to hubble server certificate (Backport PR #35036, Upstream PR #34934, @kaworu)
* helm: set key usages for hubble certificates with cert-manager (Backport PR #35036, Upstream PR #34946, @kaworu)
* Improve speed on lint commits GH workflow (Backport PR #35157, Upstream PR #34848, @aanm)
* install/kubernetes: fix Operator's clusterrole for pods deletion (Backport PR #35274, Upstream PR #35193, @aanm)
* Re-write GitHub cache usages across workflows (Backport PR #35157, Upstream PR #34866, @aanm)
* Remove conformance-e2e tests (Backport PR #35157, Upstream PR #34742, @aanm)

**Other Changes:**
* [v1.16] Add missing test coverage in v1.16 branch (cilium/cilium#35223, @aanm)
* [v1.16] author backport: fix ENABLE_LOCAL_REDIRECT_POLICY (cilium/cilium#35129, @ysksuzuki)
* [v1.16] author backport: LRP fixes (cilium/cilium#35072, @ysksuzuki)
* [v1.16] ginkgo: disable test for deprecated annotations-based L7 visibility (cilium/cilium#35160, @tklauser)
* [v1.16] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (cilium/cilium#35151, @tklauser)
* install: Update image digests for v1.16.2 (cilium/cilium#35052, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28`
`quay.io/cilium/cilium:stable@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.3@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.3@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae`
`quay.io/cilium/docker-plugin:stable@sha256:87af6722fdf73cd98123635108f1507d2c982aad82b89906a2925dc4e251acae`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.3@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089`
`quay.io/cilium/hubble-relay:stable@sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.3@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898`
`quay.io/cilium/operator-alibabacloud:stable@sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.3@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916`
`quay.io/cilium/operator-aws:stable@sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.3@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542`
`quay.io/cilium/operator-azure:stable@sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b`
`quay.io/cilium/operator-generic:stable@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b`

### operator

`quay.io/cilium/operator:v1.16.3@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f`
`quay.io/cilium/operator:stable@sha256:11219d0027c7ab5fb5ac531d4456b570b51f0d871c52c69e5e70c164bb38af0f`

Summary of Changes
------------------

**Minor Changes:**
* bpf: do not invoke llc from Makefiles (Backport PR #35168, Upstream PR #29459, @lmb)

**Bugfixes:**
* bugtool: fix cilium-health command (Backport PR #35276, Upstream PR #35068, @ayuspin)
* Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #34917, Upstream PR #34303, @julianwiedmann)
* Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (Backport PR #35037, Upstream PR #34789, @tommyp1ckles)
* Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (Backport PR #35037, Upstream PR #34783, @dylandreimerink)
* Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #35276, Upstream PR #35109, @jrajahalme)
* Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #35276, Upstream PR #35033, @WeeNews)
* Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR #35276, Upstream PR #34611, @dboslee)
* Fixes startup fatal error when updating CiliumNode resource. (Backport PR #34917, Upstream PR #34862, @harsimran-pabla)
* gateway-api: Align GRPCRoute matchers with GEP specification (Backport PR #35276, Upstream PR #34808, @cfsnyder)

**CI Changes:**
* .github/lint-build-commits: fix workflow for push events (Backport PR #35276, Upstream PR #35264, @aanm)
* .github: create cache directories on cache miss (Backport PR #35168, Upstream PR #35088, @aanm)
* .github: do not push floating tag from PRs (Backport PR #35168, Upstream PR #35227, @aanm)
* .github: install golang action after checkout (Backport PR #35168, Upstream PR #34843, @aanm)
* .github: re-enable configurations in e2e-upgrade (Backport PR #35168, Upstream PR #34800, @aanm)
* .github: specify cache-dependency-path in lint-workflows (Backport PR #35168, Upstream PR #34845, @aanm)
* [v1.15] ci: fix check generated documentation (cilium/cilium#35261, @mhofstetter)
* ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #34917, Upstream PR #34820, @aanm)
* ci: increase wait duration after upgrade/downgrade in E2E upgrade test (Backport PR #35168, Upstream PR #32528, @mhofstetter)
* fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #34917, Upstream PR #34902, @Artyop)
* servicemesh, ci: run internal to NodePort test (Backport PR #35276, Upstream PR #35177, @marseel)

**Misc Changes:**
* .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #35168, Upstream PR #34847, @aanm)
* .github: clean up disk for lint-build workflow (Backport PR #35168, Upstream PR #35141, @aanm)
* .github: fix build image process to commit changes (Backport PR #35276, Upstream PR #35262, @aanm)
* .github: fix lvh-kind warnings (Backport PR #35168, Upstream PR #34811, @aanm)
* .github: fix runtime image digests (Backport PR #35118, Upstream PR #35107, @aanm)
* [v1.15] helm: bump certgen to v0.1.15 (cilium/cilium#35034, @kaworu)
* Change GH runners to GH's default (Backport PR #35168, Upstream PR #33451, @aanm)
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35027, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35092, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#35251, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#35026, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.15) (cilium/cilium#35000, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.15) (cilium/cilium#35202, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.2 (v1.15) (cilium/cilium#35241, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.15) (cilium/cilium#35091, @cilium-renovate[bot])
* chore(deps): update go to v1.22.8 (v1.15) (cilium/cilium#35203, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.15) (cilium/cilium#35083, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727741018-e3a7412f65722ebbe34254b3582b89d315765d0d (v1.15) (cilium/cilium#35138, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.15) (cilium/cilium#35219, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.15) (cilium/cilium#35284, @cilium-renovate[bot])
* helm: set key usages for hubble certificates with cert-manager (Backport PR #35037, Upstream PR #34946, @kaworu)
* images/builder: get rid of annoying git ownership warnings (Backport PR #35276, Upstream PR #31538, @ti-mo)
* Improve speed on lint commits GH workflow (Backport PR #35168, Upstream PR #34848, @aanm)
* Re-write GitHub cache usages across workflows (Backport PR #35168, Upstream PR #34866, @aanm)
* Remove conformance-e2e tests (Backport PR #35168, Upstream PR #34742, @aanm)

**Other Changes:**
* [v1.15] test/k8s: replace L7 visibility Pod annotations by L7 visibility policy (cilium/cilium#35152, @tklauser)
* install: Update image digests for v1.15.9 (cilium/cilium#35051, @cilium-release-bot[bot])
* policy: Fix breakages on v1.15 branch (cilium/cilium#35300, @christarazi)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.10@sha256:cd096a343861d48e2849b403f0c410bfbb36e64d042f0692b73b93c97d94d9bd`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.10@sha256:0d8d5490fa6097d4e7539ffcec705dd25f3f992f29528d6ec999497a02cb1399`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.10@sha256:2cb1f30f87c29d5f98b7a59f743c40a1474d2b1e615153a6799a92389d1aa074`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.10@sha256:d4378eb133a6bdf39f50d874b59b72f95d0da2e78bd545b3c053f3c479f593b2`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.10@sha256:c78ac42e043f9e77172250a1b6997bbcd8356bb8fe7a4784deaea049207ceb9f`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.10@sha256:c1af1bae559cd0dd9a1867a4ede95f1fef07e3de173b2b82638ebd7d91256ea0`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.10@sha256:6cd04b35320824a50b43aa5d7fbfa6d11826f6c5ec8e4853da04a28aa3531695`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.10@sha256:2f49dca6f9692e317601ae8b5bad7d2dc50cedad38cc8d410db14c1fc57719e4`

### operator

`quay.io/cilium/operator:v1.15.10@sha256:d1c10ea451c3b3d6cd62984fa653974482ffe8e083497f4e4b011d8ab5dbe964`

Summary of Changes
------------------

**Bugfixes:**
* datapath: Fix redirect from from L3 netdev to tunnel (Backport PR #35265, Upstream PR #33421, @brb)
* Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR #35279, Upstream PR #35109, @jrajahalme)
* Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR #35279, Upstream PR #35033, @WeeNews)
* Fixes startup fatal error when updating CiliumNode resource. (Backport PR #34916, Upstream PR #34862, @harsimran-pabla)

**CI Changes:**
* .github/lint-build-commits: fix workflow for push events (Backport PR #35279, Upstream PR #35264, @aanm)
* .github: create cache directories on cache miss (Backport PR #35176, Upstream PR #35088, @aanm)
* .github: do not push floating tag from PRs (Backport PR #35229, Upstream PR #35227, @aanm)
* .github: install golang action after checkout (Backport PR #35176, Upstream PR #34843, @aanm)
* .github: re-enable configurations in e2e-upgrade (Backport PR #35176, Upstream PR #34800, @aanm)
* .github: specify cache-dependency-path in lint-workflows (Backport PR #35176, Upstream PR #34845, @aanm)
* ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR #34916, Upstream PR #34820, @aanm)
* fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR #34916, Upstream PR #34902, @Artyop)

**Misc Changes:**
* .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR #35176, Upstream PR #34847, @aanm)
* .github: clean up disk for lint-build workflow (Backport PR #35176, Upstream PR #35141, @aanm)
* .github: fix build image process to commit changes (Backport PR #35279, Upstream PR #35262, @aanm)
* .github: fix lvh-kind warnings (Backport PR #35176, Upstream PR #34811, @aanm)
* .github: fix runtime image digests (Backport PR #35119, Upstream PR #35107, @aanm)
* .github: push floating tag for push events for stable branches (cilium/cilium#35234, @aanm)
* [v1.14] contrib/scripts: set 755 permissions for builder.sh (cilium/cilium#35266, @aanm)
* Change GH runners to GH's default (Backport PR #35176, Upstream PR #33451, @aanm)
* chart: define the envoy image variable in the makefile (Backport PR #35113, Upstream PR #27725, @weizhoublue)
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#35029, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#35087, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#35252, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.14) (cilium/cilium#35028, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.14) (cilium/cilium#35001, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.14) (cilium/cilium#35204, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.2 (v1.14) (cilium/cilium#35242, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.7 docker digest to ddad330 (v1.14) (cilium/cilium#35093, @cilium-renovate[bot])
* chore(deps): update go to v1.22.8 (v1.14) (cilium/cilium#35205, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) (cilium/cilium#35085, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) (cilium/cilium#35108, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.14) (cilium/cilium#35220, @cilium-renovate[bot])
* chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.14) (cilium/cilium#35285, @cilium-renovate[bot])
* helm: set key usages for hubble certificates with cert-manager (Backport PR #35038, Upstream PR #34946, @kaworu)
* images/builder: get rid of annoying git ownership warnings (Backport PR #35279, Upstream PR #31538, @ti-mo)
* Improve speed on lint commits GH workflow (Backport PR #35176, Upstream PR #34848, @aanm)
* Re-write GitHub cache usages across workflows (Backport PR #35176, Upstream PR #34866, @aanm)

**Other Changes:**
* [v1.14] image: Update runtime, builder images (cilium/cilium#35097, @sayboras)
* install: Update image digests for v1.14.15 (cilium/cilium#35050, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`docker.io/cilium/cilium:v1.14.16@sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2`
`quay.io/cilium/cilium:v1.14.16@sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2`

### clustermesh-apiserver

`docker.io/cilium/clustermesh-apiserver:v1.14.16@sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186`
`quay.io/cilium/clustermesh-apiserver:v1.14.16@sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186`

### docker-plugin

`docker.io/cilium/docker-plugin:v1.14.16@sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d`
`quay.io/cilium/docker-plugin:v1.14.16@sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d`

### hubble-relay

`docker.io/cilium/hubble-relay:v1.14.16@sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9`
`quay.io/cilium/hubble-relay:v1.14.16@sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9`

### kvstoremesh

`docker.io/cilium/kvstoremesh:v1.14.16@sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0`
`quay.io/cilium/kvstoremesh:v1.14.16@sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0`

### operator-alibabacloud

`docker.io/cilium/operator-alibabacloud:v1.14.16@sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7`
`quay.io/cilium/operator-alibabacloud:v1.14.16@sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7`

### operator-aws

`docker.io/cilium/operator-aws:v1.14.16@sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1`
`quay.io/cilium/operator-aws:v1.14.16@sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1`

### operator-azure

`docker.io/cilium/operator-azure:v1.14.16@sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448`
`quay.io/cilium/operator-azure:v1.14.16@sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448`

### operator-generic

`docker.io/cilium/operator-generic:v1.14.16@sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8`
`quay.io/cilium/operator-generic:v1.14.16@sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8`

### operator

`docker.io/cilium/operator:v1.14.16@sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef`
`quay.io/cilium/operator:v1.14.16@sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef`

Summary of Changes
------------------

**Major Changes:**
* feat: fast and standard queue in CES controller (cilium/cilium#34199, @Kaczyniec)

**Minor Changes:**
* Added Helm Chart value for overriding target namespace. (cilium/cilium#34624, @thewilli)
* Cilium now handles MTU changes to devices without restarting (cilium/cilium#34314, @dylandreimerink)
* cilium-cli: Deprecate --disable-check flag (cilium/cilium#34953, @michi-covalent)
* CiliumCIDRGroup now supports large numbers of CIDRs. CiliumCIDRGroup now integrates with Hubble flows. (cilium/cilium#33441, @squeed)
* daemon: bpf: add --bpf-conntrack-accounting-enabled flag (cilium/cilium#34921, @jibi)
* daemon: Make cilium status independent from k8s status (cilium/cilium#32724, @tkna)
* Enables a new metric in the cilium operator to indicate unmanaged pods. (cilium/cilium#34815, @nimishamehta5)
* envoy: Bump envoy version from v1.30.4 to v1.30.6 (cilium/cilium#34967, @sayboras)
* feat(cilium-cli-clustermesh): Improve --destination-context option for connecting multiple remote contexts (cilium/cilium#34510, @littlejo)
* Fix handling of route replace rules in ENI IPAM mode when `ipv4-native-routing-cidr` is set to `0.0.0.0/0`. (cilium/cilium#34436, @chapsuk)
* gateway-api: Add support for HTTP Retry (cilium/cilium#34720, @sayboras)
* gateway-api: Add support for mirror fraction (cilium/cilium#34602, @sayboras)
* gateway-api: Sync up with the latest upstream v1.2.0-rc1 (cilium/cilium#34807, @sayboras)
* Implement `cilium-dbg bpf frag list` command to list IPV4 datagram fragments. (cilium/cilium#34751, @Huweicai)
* k8s: Add "service.cilium.io/type" (cilium/cilium#34772, @brb)
* k8s: Add support for 1.31.0 (cilium/cilium#34463, @christarazi)
* Low-hanging fruit performance improvements of the hubble consumer module (cilium/cilium#34535, @giorio94)
* metrics: add structured format for Hubble metrics and options. (cilium/cilium#34849, @rectified95)
* Multi-Pool IPAM now allows the use of /32 or /128 CIDRs in CiliumPodIPPools (cilium/cilium#34618, @juliusmh)
* Remove workaround for Azure CNI bridge mode from nodeinit script. (cilium/cilium#34870, @wedaly)
* version: Don't create k8s client if --client is specified (cilium/cilium#34914, @michi-covalent)

**Bugfixes:**
* bgpv2: Fix service reconciliation logic to update service advertisement metadata only after successful reconciliation (cilium/cilium#34976, @rastislavs)
* bpf: nat: recreate a NAT entry if the packet hits the stale entry (cilium/cilium#34913, @ysksuzuki)
* cli: fix a case when connectivity perf command was hanging if LRP was enabled in the cluster (cilium/cilium#35063, @marseel)
* Correctly format `cilium status -o json` CLI output for errors and warnings (cilium/cilium#34654, @nimishamehta5)
* Fix a low-probability issue where the DNS proxy could occasionally drop DNS queries due to "duplicate request id" errors. (cilium/cilium#34941, @bimmlerd)
* Fix Hubble exporter config uses wrong separator (cilium/cilium#34621, @chaunceyjiang)
* Fix issue where bpf packet buffer mark would in some cases set incorrect mark value resulting in incorrectly SNATed traffic. (cilium/cilium#34789, @tommyp1ckles)
* Fix missing Helm chart version for status command (cilium/cilium#34748, @pgils)
* Fix parameter check to forbid IPAM ENI with TUNNEL routing, and prevent agent segfault when also IPSec is enabled. (cilium/cilium#34651, @smagnani96)
* Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (cilium/cilium#34721, @giorio94)
* Fix runtime panic with L2announcer name generation (cilium/cilium#35031, @YutaroHayakawa)
* Fix services could not be removed in sync-lb-maps-with-k8s-services controller (cilium/cilium#33885, @haozhangami)
* Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (cilium/cilium#34775, @julianwiedmann)
* fix(clustermesh): mesh connection mode (cilium/cilium#34932, @littlejo)
* Fixed bug in LB-IPAM where restarting the operator would unshare previously shared IPs between services (cilium/cilium#34783, @dylandreimerink)
* Fixed bug where service id allocator would loop infinity when out of service ids (cilium/cilium#35033, @WeeNews)
* Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (cilium/cilium#34611, @dboslee)
* Fixes startup fatal error when updating CiliumNode resource. (cilium/cilium#34862, @harsimran-pabla)
* gateway-api: Align GRPCRoute matchers with GEP specification (cilium/cilium#34808, @cfsnyder)
* helm: Render valid image specs when tag is empty (cilium/cilium#34891, @BenoitKnecht)
* ipcache: Yet another refcounting fix with mix of APIs (cilium/cilium#34715, @gandro)
* lrp: define ENABLE_LOCAL_REDIRECT_POLICY regardless of socketLB setting (cilium/cilium#34954, @ysksuzuki)
* Make initial nat gc async during Daemon initialization. (cilium/cilium#34070, @tommyp1ckles)
* Metrics: Fix the reporting of bootstrap metric "overall" scope as it was not capturing a part of initialization (cilium/cilium#34971, @marseel)
* The cilium dnsproxy now handles EDNS0 large buffersize advertisements better. (cilium/cilium#34852, @bimmlerd)
* wireguard: Fix issue where updates to a WireGuard device's configuration caused connectivity blips. (cilium/cilium#34612, @jrife)

**CI Changes:**
* .github/workflows: fix ci image cache cleaner (cilium/cilium#34819, @aanm)
* .github: add missing export in variable (cilium/cilium#34818, @aanm)
* .github: change nick-invision/retry -> nick-fields/retry. (cilium/cilium#34718, @tommyp1ckles)
* .github: create cache directories on cache miss (cilium/cilium#35088, @aanm)
* .github: install golang action after checkout (cilium/cilium#34843, @aanm)
* .github: prevent failure when deleting GitHub Actions cache (cilium/cilium#34844, @aanm)
* .github: re-enable configurations in e2e-upgrade (cilium/cilium#34800, @aanm)
* .github: remove CI tests from PR runs if not required (cilium/cilium#34726, @aanm)
* .github: specify cache-dependency-path in lint-workflows (cilium/cilium#34845, @aanm)
* ariane: don't run full test suite for BPF test changes (cilium/cilium#34931, @julianwiedmann)
* ariane: manage workflow exclusions for changes to CODEOWNERS and USERS.md (cilium/cilium#34894, @julianwiedmann)
* bpf/complexity-tests: Add ENABLE_LOCAL_REDIRECT_POLICY (cilium/cilium#35016, @ysksuzuki)
* bpf/complexity-tests: fix ENABLE_LOCAL_REDIRECT_POLICY (cilium/cilium#35099, @ysksuzuki)
* ci: 100 node scale - alert on bootstrap/cpu/memory regressions (cilium/cilium#34897, @marseel)
* ci: clean disk only on ubuntu-latest runners (cilium/cilium#34711, @marseel)
* ci: conformance-[gateway-api|ginkgo|ingress] wait for images before matrix generation (cilium/cilium#34820, @aanm)
* ci: Confromance E2E wait for images before matrix generation (cilium/cilium#34707, @marseel)
* CI: Fix syntax error in Image Cache Cleaner (cilium/cilium#35104, @brlbil)
* CI: l4lb allow extra opts (cilium/cilium#34813, @tommyp1ckles)
* ci: Move CiliumEndpointSlice migration to schedule (cilium/cilium#34828, @marseel)
* ci: Wait for images before generating test matrix (cilium/cilium#34727, @marseel)
* cilium-cli: connectivity: fix the local-redirect-policy flow validation (cilium/cilium#34919, @ysksuzuki)
* cilium-cli: Define CLI_MAIN_DIR Make variable (cilium/cilium#34910, @michi-covalent)
* fix: repository nil value handled on workflow_dispatch context for renovate updates (cilium/cilium#34902, @Artyop)
* gha: Enable Ingress Controller test in upgrade (cilium/cilium#34185, @sayboras)
* gha: fix permissions of update label backport PR workflow (cilium/cilium#35117, @giorio94)
* metrics: Add metrics config test for Hubble. (cilium/cilium#34325, @rectified95)
* Miscellaneus improvements to the clustermesh scale test (cilium/cilium#34704, @giorio94)
* Revert "ci: increase verbosity of print-downgrade-script.sh" (cilium/cilium#34863, @marseel)
* Run scheduled workflows every 8h instead of 6h (cilium/cilium#34898, @auriaave)
* test: add dual-stack to delegated IPAM E2E test (cilium/cilium#34937, @wedaly)
* test: Add unit tests for directory policy watcher (cilium/cilium#33920, @tamilmani1989)
* test: Cilium Identity management tests (cilium/cilium#34743, @dlapcevic)
* test: e2e tests for delegated IPAM (cilium/cilium#34839, @wedaly)

**Misc Changes:**
* .github/labeler: add exclusive cilium-cli label (cilium/cilium#34771, @aanm)
* .github: add cache to cilium-cli and hubble-cli build workflows (cilium/cilium#34847, @aanm)
* .github: do not update github runners for bpf workflows (cilium/cilium#35105, @aanm)
* .github: fix lvh-kind warnings (cilium/cilium#34811, @aanm)
* .github: fix runtime image digests (cilium/cilium#35107, @aanm)
* .mailmap: Add entry for Quentin's email (cilium/cilium#34708, @qmonnet)
* Add flag enabling LB IPAM (cilium/cilium#34945, @nebril)
* Add Jar to the users.md (cilium/cilium#34952, @rohan-changejar)
* Add Nutanix user (cilium/cilium#34752, @tuxtof)
* agent: add flag to enable internal traffic policy (cilium/cilium#34858, @nebril)
* agent: drop leftover logstash constant/field (cilium/cilium#34722, @giorio94)
* AUTHORS: fix duplicate entries (cilium/cilium#34714, @aanm)
* bgpv1: Add MatchFamilies option in RoutePolicyConditions (cilium/cilium#34674, @rastislavs)
* bgpv1: Cleanup BGP reconcilers setup to ensure that no BGP CP jobs are started when BGP CP is disabled (cilium/cilium#34836, @rastislavs)
* bgpv2/docs: add ebgp multihop documentation (cilium/cilium#34951, @harsimran-pabla)
* bgpv2: cleanup service reconciliation logic (cilium/cilium#34959, @rastislavs)
* Bitlpm fixes and improvements (cilium/cilium#34781, @jrajahalme)
* bpf/lib/icmpv6.h: cleanup hardcoded ICMPv6 types (cilium/cilium#34942, @msune)
* bpf: compile-test ENABLE_IP_MASQ_AGENT_IPV* (cilium/cilium#34701, @julianwiedmann)
* bpf: tests: don't specify ETH_HLEN for L2 devices (cilium/cilium#34906, @julianwiedmann)
* bpf: vxlan helper improvements (cilium/cilium#34755, @julianwiedmann)
* bugtool: collect `cilium-dbg bpf frag list` output (cilium/cilium#34868, @julianwiedmann)
* build-images-ci: skip SBOM for cilium-cli (cilium/cilium#35116, @aanm)
* Bump k8s version to 1.31 in some missing files (cilium/cilium#34778, @aanm)
* Bump StateDB to v0.3 with range-funcs (cilium/cilium#34729, @joamaki)
* chore(deps): update all github action dependencies (main) (cilium/cilium#34759, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#34877, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#35004, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (main) (cilium/cilium#35078, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#34757, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#34872, @cilium-renovate[bot])
* chore(deps): update all-dependencies (main) (cilium/cilium#34969, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.17 (main) (cilium/cilium#34875, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.18 (main) (cilium/cilium#34998, @cilium-renovate[bot])
* chore(deps): update dependency renovatebot/renovate to v38.80.0 (main) (cilium/cilium#34882, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.1 docker digest to 2fe82a3 (main) (cilium/cilium#34873, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.23.1 docker digest to 4f063a2 (main) (cilium/cilium#35075, @cilium-renovate[bot])
* chore(deps): update go to v1.23.1 (main) (cilium/cilium#34732, @cilium-renovate[bot])
* chore(deps): update golangci/golangci-lint docker tag to v1.61.0 (main) (cilium/cilium#34826, @cilium-renovate[bot])
* chore(deps): update https://github.com/cilium/scaffolding digest to a97aaf1 (main) (cilium/cilium#35100, @cilium-renovate[bot])
* chore(plugins): replace deprecated CNI function (cilium/cilium#34561, @SkalaNetworks)
* chore: Add constants for cloud APIs (cilium/cilium#34438, @jaffcheng)
* ci: fix ginkgo by replace k8s v1.27 with v1.31 (cilium/cilium#34773, @mhofstetter)
* cilium-cli/status: sort status lines (cilium/cilium#34927, @tklauser)
* cilium-cli/sysdump: export SubmitMetricsSubtask (cilium/cilium#34864, @tklauser)
* cilium-cli: collect BGPv2 CRD resources in sysdump (cilium/cilium#34684, @rastislavs)
* cilium-cli: remove copying of loop variables (cilium/cilium#34944, @tklauser)
* cilium-dbg: Show deleted objects when watching StateDB tables (cilium/cilium#34635, @joamaki)
* cilium: add minor annotation mode follow-ups (cilium/cilium#35102, @borkmann)
* cilium: add option to configure service annotation-based dispatch (cilium/cilium#35064, @borkmann)
* cilium: Enable health datapath also in annotation mode (cilium/cilium#35124, @borkmann)
* cli/connectivity: improvements for echo-ingress-l7-via-hostport test (cilium/cilium#34502, @julianwiedmann)
* clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (cilium/cilium#34699, @tklauser)
* datapath: clarify comment for EncryptNode (cilium/cilium#34924, @julianwiedmann)
* docs(users): add SDV Services (cilium/cilium#34746, @sjoukedv)
* docs, LRP: add note regarding the KPR configuration (cilium/cilium#35030, @ysksuzuki)
* docs: Clarify instructions for bumping K8s to avoid forks (cilium/cilium#34791, @christarazi)
* docs: fix EKS Kubernetes compatibility link (cilium/cilium#34922, @fjvela)
* docs: Improve warning on insecure global IPsec keys (cilium/cilium#34846, @pchaigno)
* docs: move sig-policy to second Tuesday of the month (cilium/cilium#35040, @squeed)
* Document about multicast sub-command of cilium-cli (cilium/cilium#34987, @yushoyamaguchi)
* driftchecker: Allow agent to monitor configuration drifts (cilium/cilium#34712, @ovidiutirla)
* egressgw: skip gateway config update on endpoint change events (cilium/cilium#34795, @julianwiedmann)
* endpoint: Use nanoseconds in policy logs (cilium/cilium#34679, @jrajahalme)
* envoy: Add configuration for OverloadManager (cilium/cilium#34682, @sayboras)
* envoy: possibility to configure separate default log level for Envoy (cilium/cilium#34728, @mhofstetter)
* envoy: update cilium/proxy to latest version (cilium/cilium#34769, @mhofstetter)
* experimental: Benchmark reconciling tables and BPF (cilium/cilium#34487, @DamianSawicki)
* feat(helm): allow setting resources for spire agent and server workloads (cilium/cilium#34822, @sjoukedv)
* fix add spi=0 to ipSecKeysRemovalTime (cilium/cilium#34652, @smagnani96)
* fix(deps): update all go dependencies main (main) (cilium/cilium#34548, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#34920, @cilium-renovate[bot])
* fix(deps): update all go dependencies main (main) (cilium/cilium#35024, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#34758, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#35003, @cilium-renovate[bot])
* fix(deps): update aws-sdk-go-v2 monorepo (main) (cilium/cilium#35077, @cilium-renovate[bot])
* fix(deps): update kubernetes packages to v0.31.1 (main) (cilium/cilium#34853, @cilium-renovate[bot])
* fix(deps): update opentelemetry-go monorepo to v1.30.0 (main) (cilium/cilium#34876, @cilium-renovate[bot])
* Fixed TestWatchAllKeys UT (cilium/cilium#35009, @chaunceyjiang)
* gateway-api: Enable GatewayStaticAddresses test in CI (cilium/cilium#34695, @sayboras)
* gateway-api: Sync up with latest version upstream (cilium/cilium#35047, @sayboras)
* generic-veth will ignore the automatically generated link-local IPv6 addresses on the link. (cilium/cilium#33959, @BSWANG)
* go: Replace x/maps package by respective standard libraries (cilium/cilium#34649, @sayboras)
* helm: add client auth to hubble server certificate (cilium/cilium#34934, @kaworu)
* helm: set key usages for hubble certificates with cert-manager (cilium/cilium#34946, @kaworu)
* hive/k8s: Add OnDemand[T] and the OnDemandTable (cilium/cilium#34799, @joamaki)
* hubble/filters: use netip types (cilium/cilium#34803, @tklauser)
* hubble: add file name and line number info to dropped flows (cilium/cilium#34616, @kaworu)
* images: fix path script (cilium/cilium#34764, @aanm)
* Improve speed on lint commits GH workflow (cilium/cilium#34848, @aanm)
* ingress: export Config[T] type. (cilium/cilium#34812, @tommyp1ckles)
* job: Prepare job names for hive bump (cilium/cilium#34838, @ovidiutirla)
* k8s: Convert service.cilium.io/node to annotation (cilium/cilium#34739, @brb)
* kvstore: remove obsolete key encoding/decoding methods (cilium/cilium#34925, @tklauser)
* kvstore: Remove SessionID from kvstore Value (cilium/cilium#34895, @odinuge)
* lbipam: Remove init done callback hooks (cilium/cilium#34785, @dylandreimerink)
* Link ariane triggers in testing/CI documentation. (cilium/cilium#34869, @sypakine)
* loader: de-dup LinkByName() calls for overlay / wireguard setup (cilium/cilium#34705, @julianwiedmann)
* Make flag that instructs LB-IPAM to only allocate IPs for services with .Spec.LoadBalancerClass specified functional (cilium/cilium#34985, @simu)
* Makefile: retry on kind load docker-image errors (cilium/cilium#34907, @jibi)
* operator: remove helper function `model.AddressOf` (cilium/cilium#34765, @mhofstetter)
* pkg/ciliumidentity: Prevent updateCID from modifying the resource store (cilium/cilium#34805, @ovidiutirla)
* pkg/ciliumidentity: Use hive cell context (cilium/cilium#34565, @ovidiutirla)
* pkg/dynamicconfig: Add support for multiple sources (cilium/cilium#34581, @ovidiutirla)
* policy: add flag enabling non-default-deny policy (cilium/cilium#34940, @nebril)
* policy: Fix Key stringer port range output (cilium/cilium#34842, @jrajahalme)
* Prepare for release v1.17.0-pre.0 (cilium/cilium#34694, @cilium-release-bot[bot])
* Re-write GitHub cache usages across workflows (cilium/cilium#34866, @aanm)
* README: Update releases (cilium/cilium#34710, @aanm)
* README: Update releases (cilium/cilium#35054, @nebril)
* Refactor the CiliumEndpointSlice subscriber public methods and increase test coverage (cilium/cilium#34671, @sypakine)
* Remove conformance-e2e tests (cilium/cilium#34742, @aanm)
* Remove note about TLSRoute being required by Cilium (cilium/cilium#34817, @youngnick)
* renovate: Correct the regex for cilium-envoy image (cilium/cilium#34886, @sayboras)
* renovate: Update allowedVersion for cilium-envoy (cilium/cilium#34978, @sayboras)
* Reuse deny CIDR benchmark in allow CIDR benchmark (cilium/cilium#34996, @christarazi)
* Services protocol differentiation: minor follow ups (cilium/cilium#34955, @jibi)
* Set go version to v1.23 in go.mod and fix codegen issue (cilium/cilium#34725, @joamaki)
* Show exact error message for "Error reading config file" (cilium/cilium#34617, @jingyuanliang)
* Transactional selector cache (cilium/cilium#34205, @jrajahalme)
* Use Go standard library slices package more extensively (cilium/cilium#34796, @tklauser)
* vendor: Bump StateDB to v0.2.6 and fix usage (cilium/cilium#34669, @joamaki)
* wireguard: Move private key generation to start (cilium/cilium#34860, @joamaki)


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.17.0-pre.1@sha256:fa532628872a3b086d8658d93ff55e94035cb2a7d7f5f2411539eb51cceee617`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.17.0-pre.1@sha256:b019822aa0d968b4d4275fa0da7b77c9e05ad76bc5b93aeb89f67ce5278d3cce`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.17.0-pre.1@sha256:0a2e7aa1135e9c9ec9f72cf015bb5a39d4c0d651165a11195110b7e7cac657d3`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.17.0-pre.1@sha256:0f6450f567e998768f042894602a7a44f7146133c34cc2cbd5f5850effcef44a`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.17.0-pre.1@sha256:a1d68e285c88a8190003c45265d0f5269bf8984a9d8000611998131862ebc0e2`

### operator-aws

`quay.io/cilium/operator-aws:v1.17.0-pre.1@sha256:54be54e2562e4c5ef7baf7e936fe7d7ecbd6fc2c35681ecdb688cd850966d84a`

### operator-azure

`quay.io/cilium/operator-azure:v1.17.0-pre.1@sha256:05f362b927ad91e7fa4ff050444bd075e2b61d5b1108549b860a3357cb592891`

### operator-generic

`quay.io/cilium/operator-generic:v1.17.0-pre.1@sha256:5b8e56c73c292285370296d5b71266bbe11ee02c4977c1d299c313a09cb72d42`

### operator

`quay.io/cilium/operator:v1.17.0-pre.1@sha256:c099d3a5490f842f7b0ba0f9792631aa5c755fce04c82a6ce3c6c765dcc43c52`

We are happy to release Cilium v1.16.2!

This release brings us improved validation for updating from v1.15, fixed panics, race conditions and deadlocks, CI fixes and many many more changes!

Check out the summary below for details.

Summary of Changes
------------------

**Minor Changes:**
* Add validation to prevent users from using deprecated values that have been removed in v1.15 and v1.16 (Backport PR #34452, Upstream PR #34229, @chancez)
* bgpv2: update status field of CiliumBGPNodeConfig CRD (Backport PR #34580, Upstream PR #33411, @harsimran-pabla)
* docs: Update examples for CNP L7 Host (Backport PR #34644, Upstream PR #34578, @sayboras)
* egressgw: drop traffic when gateway node is not configured for policy (Backport PR #34452, Upstream PR #33625, @julianwiedmann)

**Bugfixes:**
* add support for validation of stringToString values in ConfigMap (Backport PR #34586, Upstream PR #34279, @alex-berger)
* bgpv2: correct service reconciler initialization (Backport PR #34452, Upstream PR #34415, @harsimran-pabla)
* bgpv2: fix cilium-dbg bgp filtering by ASN & route-policy dump format (Backport PR #34452, Upstream PR #34335, @rastislavs)
* bpf: Fix `Prune` map operation leaking BPF map entries (Backport PR #34586, Upstream PR #34476, @gandro)
* config: fix disabling config 'Debug' (Backport PR #34469, Upstream PR #34401, @mhofstetter)
* daemon: Create IPsec and LRP maps early on startup (Backport PR #34452, Upstream PR #34388, @pchaigno)
* daemon: Fix error logic flow for pod store being out of date (Backport PR #34586, Upstream PR #34389, @christarazi)
* envoy: fix log level mapping when changing log level via API (Backport PR #34452, Upstream PR #34400, @mhofstetter)
* Fix "invalid sysctl parameter" error when Cilium needs to modify a sysctl with capital letters in its name. (Backport PR #34586, Upstream PR #34298, @julianwiedmann)
* Fix a bug in Cilium's kube-proxy replacement, where replies by a local backend are dropped with DROP_NO_FIB. (Backport PR #34452, Upstream PR #34303, @julianwiedmann)
* Fix a race condition that would cause errors related to maps `LB{4,6}_SKIP_MAP` when loading programs. (Backport PR #34586, Upstream PR #34453, @pchaigno)
* Fix agent panic when IPsec is enabled but XFRM stats are not exposed by the kernel. (Backport PR #34831, Upstream PR #34647, @chaunceyjiang)
* Fix issue where a hostport service would be created on an incorrect node when cilium-agent is configured with disable-endpoint-crd (Backport PR #34644, Upstream PR #34385, @haozhangami)
* Fix operator deployment connecting to clustermesh kvstoremesh when endpointslice sync or MCS-API Service exports is enabled (Backport PR #34586, Upstream PR #34295, @MrFreezeex)
* Fix parsing of complex api-rate-limit options. The parsing failed when rate limits were configured for multiple API endpoints with multiple options, for example: "endpoint-create=rate-limit:1/s,rate-burst=1,endpoint-delete=rate-limit:2/s,rate-burst=2". The ability to also specify the rate limits as JSON strings was also returned. (Backport PR #34586, Upstream PR #34249, @joamaki)
* Fix possible connection disruption on agent restart with WireGuard + native routing (Backport PR #34831, Upstream PR #34095, @giorio94)
* Fix possible panic occurring in case errors are returned while updating/deleting IPv6 routes (Backport PR #34831, Upstream PR #34721, @giorio94)
* Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #34831, Upstream PR #34775, @julianwiedmann)
* Fixes broken pod-to-remote-hostport connectivity when IPsec is used with L7 ingress policy and KPR. (Backport PR #34586, Upstream PR #33805, @jschwinger233)
* Fixes deadlock in identity watcher. This fixes an issue where a kvstore disconnect can cause the event receiver to exit and the event sender to get stuck forever. (Backport PR #34831, Upstream PR #34611, @dboslee)
* helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #34472, Upstream PR #34448, @mhofstetter)
* ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #34586, Upstream PR #34474, @sayboras)
* ingress: Remove generated CEC if empty (Backport PR #34644, Upstream PR #34576, @sayboras)
* lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #34452, Upstream PR #34236, @mhofstetter)
* policy:  Fixed  CIDRGroupRef breaking the sanitization (Backport PR #34452, Upstream PR #34076, @chaunceyjiang)
* Replace dotted sysctl names with string slices (Backport PR #34831, Upstream PR #34527, @dylandreimerink)

**CI Changes:**
* .github: change nick-invision/retry -> nick-fields/retry. (cilium/cilium#34735, @michi-covalent)
* bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR #34452, Upstream PR #34270, @rastislavs)
* ci: clean disk only on ubuntu-latest runners (Backport PR #34831, Upstream PR #34711, @marseel)
* ci: Confromance E2E wait for images before matrix generation (Backport PR #34831, Upstream PR #34707, @marseel)
* ci: datapath-verifier: also run on 6.6 kernel (Backport PR #34452, Upstream PR #34420, @julianwiedmann)
* ci: don't run AKS tests on LTS versions (Backport PR #34644, Upstream PR #34640, @marseel)
* ci: Wait for images before generating test matrix (Backport PR #34831, Upstream PR #34727, @marseel)
* Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #34831, Upstream PR #34650, @Artyop)
* gha: Add disk cleanup step for build and test workflow (Backport PR #34452, Upstream PR #34339, @sayboras)

**Misc Changes:**
* .github: remove installation steps for arm64 (Backport PR #34452, Upstream PR #34336, @aanm)
* [v1.16] deps: update Docker dependency (cilium/cilium#34354, @ferozsalam)
* bgpv2: correct error message log (Backport PR #34586, Upstream PR #34276, @harsimran-pabla)
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#34569, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (cilium/cilium#34749, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.16) (patch) (cilium/cilium#34568, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#34687, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.16) (cilium/cilium#34883, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.16) (cilium/cilium#34118, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.16) (cilium/cilium#34497, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.16) (cilium/cilium#34878, @cilium-renovate[bot])
* chore(deps): update docker.io/library/busybox:1.36.1 docker digest to 34b191d (v1.16) (cilium/cilium#34760, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.16) (cilium/cilium#34887, @cilium-renovate[bot])
* chore(deps): update go to v1.22.7 (v1.16) (cilium/cilium#34797, @cilium-renovate[bot])
* chore: Avoid docker warning due to casing (Backport PR #34856, Upstream PR #34125, @sayboras)
* cilium-dbg: add Envoy admin commands (Backport PR #34586, Upstream PR #34398, @mhofstetter)
* clustermesh/endpointslicesync: fix panic on failure in Test_meshEndpointSlice_Reconcile (Backport PR #34831, Upstream PR #34699, @tklauser)
* contrib: allow l7proxy in egressgw config (Backport PR #34831, Upstream PR #34636, @julianwiedmann)
* docs: Avoid using wildcard TLS certificate (Backport PR #34831, Upstream PR #34609, @sayboras)
* docs: Improve disk based policy documentation (Backport PR #34452, Upstream PR #34234, @tamilmani1989)
* docs: Update LB-IPAM `allowFirstLastIPs` documentation (Backport PR #34452, Upstream PR #34227, @dylandreimerink)
* Documentation: Add instructions on accessing the Hubble API with TLS (Backport PR #34452, Upstream PR #34361, @chancez)
* Documentation: Add section to validate Hubble TLS is enabled (Backport PR #34644, Upstream PR #34416, @chancez)
* endpoint: Do not pass a function to WithFields (Backport PR #34452, Upstream PR #34346, @jrajahalme)
* fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34452, Upstream PR #34372, @Artyop)
* images: fix path script (Backport PR #34768, Upstream PR #34764, @aanm)
* ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34586, Upstream PR #34221, @jschwinger233)
* pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #34586, Upstream PR #33896, @aanm)
* Reorganize Hubble docs (Backport PR #34452, Upstream PR #34282, @chancez)
* Use exponential backoff for etcd connection retries during quorum loss (Backport PR #34452, Upstream PR #34231, @hemanthmalla)
* wireguard: minor improvements (Backport PR #34452, Upstream PR #34285, @julianwiedmann)

**Other Changes:**
* [v1.16] CODEOWNERS: switch cilium/tophat to cilium/committers (cilium/cilium#34338, @julianwiedmann)
* [v1.16] envoy: Bump envoy version from v1.29.7 to v1.29.9 (cilium/cilium#34966, @sayboras)
* [v1.16] envoy: Switch to image with timestamp tag (cilium/cilium#34395, @sayboras)
* envoy: Bump golang version (cilium/cilium#34328, @sayboras)
* Fix panic in endpoint regeneration when DNS requests are processed during early initialization. (cilium/cilium#34892, @joamaki)
* install: Update image digests for v1.16.1 (cilium/cilium#34378, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.16.2@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea`
`quay.io/cilium/cilium:stable@sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.16.2@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73`
`quay.io/cilium/clustermesh-apiserver:stable@sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.16.2@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b`
`quay.io/cilium/docker-plugin:stable@sha256:9b455c663e43f785e3ef26471e29e22939c056af41d1e9215007b88dd37cd99b`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.16.2@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c`
`quay.io/cilium/hubble-relay:stable@sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.16.2@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716`
`quay.io/cilium/operator-alibabacloud:stable@sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716`

### operator-aws

`quay.io/cilium/operator-aws:v1.16.2@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd`
`quay.io/cilium/operator-aws:stable@sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd`

### operator-azure

`quay.io/cilium/operator-azure:v1.16.2@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727`
`quay.io/cilium/operator-azure:stable@sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727`

### operator-generic

`quay.io/cilium/operator-generic:v1.16.2@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a`
`quay.io/cilium/operator-generic:stable@sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a`

### operator

`quay.io/cilium/operator:v1.16.2@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381`
`quay.io/cilium/operator:stable@sha256:01c4d846f65ecd2bd86f3d95a0ddc2bc4c813f6074a41828ca9ca2a30ed34381`

We are happy to release Cilium v1.15.9!

This release brings us upstream filter chains for L7 LB policy enforcement, BGP (and other!) bugfixes, CI changes and many many more!

Check out the summary below for details.

Summary of Changes
------------------

**Minor Changes:**
* cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #34457, Upstream PR #32119, @jrajahalme)
* docs: Update examples for CNP L7 Host (Backport PR #34645, Upstream PR #34578, @sayboras)

**Bugfixes:**
* BGPv1 + BGPv2: Fix incorrect service reconciliation in setups with multiple BGP instances (virtual routers) (cilium/cilium#34331, @rastislavs)
* config: fix disabling config 'Debug' (Backport PR #34470, Upstream PR #34401, @mhofstetter)
* daemon: Fix error logic flow for pod store being out of date (Backport PR #34587, Upstream PR #34389, @christarazi)
* envoy: fix log level mapping when changing log level via API (Backport PR #34456, Upstream PR #34400, @mhofstetter)
* Fix synchronization of CiliumEndpointSlices when running the Cilium Operator in identity-based slicing mode. (Backport PR #34456, Upstream PR #32239, @thorn3r)
* Fix the Egress Gateway reconciliation logic to make progress after setting the rp_filter sysctl failed. (Backport PR #34830, Upstream PR #34775, @julianwiedmann)
* helm: fix envoy prometheus metrics scraping with servicemonitor (Backport PR #34473, Upstream PR #34448, @mhofstetter)
* ingress: Avoid opening of port 80 for TLSPassthrough only (Backport PR #34598, Upstream PR #34474, @sayboras)
* ipcache: Yet another refcounting fix with mix of APIs (Backport PR #34933, Upstream PR #34715, @gandro)
* lbipam: fix panic when changing the shared key & req. ip annotation (Backport PR #34456, Upstream PR #34236, @mhofstetter)

**CI Changes:**
* .github: change nick-invision/retry -> nick-fields/retry. (cilium/cilium#34736, @michi-covalent)
* bgpv1/test: fix route matching in PodIPPoolAdvert test (Backport PR #34456, Upstream PR #34270, @rastislavs)
* ci: clean disk only on ubuntu-latest runners (Backport PR #34830, Upstream PR #34711, @marseel)
* ci: Confromance E2E wait for images before matrix generation (Backport PR #34830, Upstream PR #34707, @marseel)
* ci: don't run AKS tests on LTS versions (Backport PR #34645, Upstream PR #34640, @marseel)
* ci: multi pool run tests concurrently (Backport PR #34299, Upstream PR #33945, @viktor-kurchenko)
* ci: Wait for images before generating test matrix (Backport PR #34830, Upstream PR #34727, @marseel)
* Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #34830, Upstream PR #34650, @Artyop)
* gha: Add disk cleanup step for build and test workflow (Backport PR #34456, Upstream PR #34339, @sayboras)
* gha: Free up Github runner disk space (Backport PR #34299, Upstream PR #34247, @sayboras)

**Misc Changes:**
* Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34299, Upstream PR #34137, @youngnick)
* Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34367, Upstream PR #34137, @youngnick)
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#34571, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (cilium/cilium#34750, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.15) (patch) (cilium/cilium#34570, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#34696, @cilium-renovate[bot])
* chore(deps): update all-dependencies (v1.15) (cilium/cilium#34904, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.15) (cilium/cilium#34119, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.15) (cilium/cilium#34507, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.15) (cilium/cilium#34884, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.1 (v1.15) (cilium/cilium#34851, @cilium-renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.19.4 (v1.15) (cilium/cilium#34761, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.15) (cilium/cilium#34900, @cilium-renovate[bot])
* chore(deps): update go to v1.22.7 (v1.15) (cilium/cilium#34733, @cilium-renovate[bot])
* chore: Avoid docker warning due to casing (Backport PR #34857, Upstream PR #34125, @sayboras)
* cilium-dbg: add Envoy admin commands (Backport PR #34587, Upstream PR #34398, @mhofstetter)
* docs: Avoid using wildcard TLS certificate (Backport PR #34830, Upstream PR #34609, @sayboras)
* docs: Improve Ingress documentation (Backport PR #34367, Upstream PR #33698, @youngnick)
* Documentation: Update readthedocs configuration (Backport PR #34299, Upstream PR #34190, @joestringer)
* endpoint: Do not pass a function to WithFields (Backport PR #34456, Upstream PR #34346, @jrajahalme)
* fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34456, Upstream PR #34372, @Artyop)
* images: fix path script (Backport PR #34767, Upstream PR #34764, @aanm)
* ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34587, Upstream PR #34221, @jschwinger233)
* pkg/endpointmanager: don't hold lock while iterating over subscribers (Backport PR #34587, Upstream PR #33896, @aanm)

**Other Changes:**
* [v1.15] CODEOWNERS: switch cilium/tophat to cilium/committers (cilium/cilium#34889, @julianwiedmann)
* [v1.15] envoy: Bump envoy version from v1.29.7 to v1.29.9 (cilium/cilium#34965, @sayboras)
* [v1.15] envoy: Switch to image with timestamp tag (cilium/cilium#34394, @sayboras)
* envoy: Bump golang version (cilium/cilium#34327, @sayboras)
* install: Update image digests for v1.15.8 (cilium/cilium#34376, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`quay.io/cilium/cilium:v1.15.9@sha256:c2a4c57a6baf758e975fbefbf638476906d1bb0c970e9547d216d9ea7b6471e3`

### clustermesh-apiserver

`quay.io/cilium/clustermesh-apiserver:v1.15.9@sha256:ec82fb96dd0fbac4c6de333aaf8f7964a74c2194a3afdf765b3c260433a4aeed`

### docker-plugin

`quay.io/cilium/docker-plugin:v1.15.9@sha256:1a86463fd5b38b5930069045af141ee577ead4c26f8ba4d4a532d1aa3f38a709`

### hubble-relay

`quay.io/cilium/hubble-relay:v1.15.9@sha256:421afd9f4e46a7b9834f0542ceca6e8652ec0598982126dc2dd1dcf0dd690631`

### operator-alibabacloud

`quay.io/cilium/operator-alibabacloud:v1.15.9@sha256:9fe2c3c6d49d4f501067ec525a3d792da17d055ebcefa37f4fbb5698109d217b`

### operator-aws

`quay.io/cilium/operator-aws:v1.15.9@sha256:8c2b4a4d4d6ebf1c37a6ae72da2279286729a4982bf124d98f4bcc2db5eeb5e6`

### operator-azure

`quay.io/cilium/operator-azure:v1.15.9@sha256:9b02e12c56b08d50eb1540d6cbb1119eee639a9795c752c4904311d03889d7fe`

### operator-generic

`quay.io/cilium/operator-generic:v1.15.9@sha256:0ec30b4df0d097aedcbcb41748f10ce397f9656c128bea7e227b6bfd820f6d76`

### operator

`quay.io/cilium/operator:v1.15.9@sha256:9ed87c339762c5b5422bd284e9672f6fedcee2aba376a5aa1328223c39bd9914`

We are happy to release Cilium v1.14.15!

This release brings us upstream filter chains for L7 LB policy enforcement, bugfixes, CI fixes and many many more! See summary of changes below!

Summary of Changes
------------------

**Minor Changes:**
* cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR #34458, Upstream PR #32119, @jrajahalme)
* docs: Update examples for CNP L7 Host (Backport PR #34646, Upstream PR #34578, @sayboras)

**Bugfixes:**
* config: fix disabling config 'Debug' (Backport PR #34471, Upstream PR #34401, @mhofstetter)
* envoy: fix log level mapping when changing log level via API (Backport PR #34459, Upstream PR #34400, @mhofstetter)
* ipcache: Yet another refcounting fix with mix of APIs (Backport PR #34713, Upstream PR #34715, @gandro)

**CI Changes:**
* .github: change nick-invision/retry -> nick-fields/retry. (cilium/cilium#34737, @michi-covalent)
* ci: clean disk only on ubuntu-latest runners (Backport PR #34829, Upstream PR #34711, @marseel)
* ci: Confromance E2E wait for images before matrix generation (Backport PR #34829, Upstream PR #34707, @marseel)
* ci: multi pool run tests concurrently (Backport PR #34364, Upstream PR #33945, @viktor-kurchenko)
* ci: Wait for images before generating test matrix (Backport PR #34829, Upstream PR #34727, @marseel)
* Fix: push PR changes when renovate build images under the workflow_call context (Backport PR #34829, Upstream PR #34650, @Artyop)
* gha: Add disk cleanup step for build and test workflow (Backport PR #34364, Upstream PR #34339, @sayboras)
* gha: Free up Github runner disk space (Backport PR #34364, Upstream PR #34247, @sayboras)
* gha: Remove ci-aks workflow (cilium/cilium#34606, @sayboras)

**Misc Changes:**
* [v1.14] hive: prevent goleak error due to race condition (cilium/cilium#34658, @marseel)
* Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34369, Upstream PR #34137, @youngnick)
* Add source IP visibility info to Ingress and Gateway API docs (Backport PR #34459, Upstream PR #34137, @youngnick)
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#34572, @cilium-renovate[bot])
* chore(deps): update all github action dependencies (v1.14) (cilium/cilium#34763, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.14) (cilium/cilium#34120, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.14) (cilium/cilium#34508, @cilium-renovate[bot])
* chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.14) (cilium/cilium#34885, @cilium-renovate[bot])
* chore(deps): update dependency cilium/hubble to v1.16.1 (v1.14) (cilium/cilium#34854, @cilium-renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.18.9 (v1.14) (cilium/cilium#34762, @cilium-renovate[bot])
* chore(deps): update docker.io/library/golang:1.22.7 docker digest to 4594271 (v1.14) (cilium/cilium#34901, @cilium-renovate[bot])
* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to adbb901 (v1.14) (cilium/cilium#34697, @cilium-renovate[bot])
* chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.16 (v1.14) (cilium/cilium#34905, @cilium-renovate[bot])
* chore(deps): update go to v1.22.7 (v1.14) (cilium/cilium#34734, @cilium-renovate[bot])
* chore(deps): update kindest/node docker tag to v1.27.16 (v1.14) (cilium/cilium#34509, @cilium-renovate[bot])
* chore: Avoid docker warning due to casing (Backport PR #34859, Upstream PR #34125, @sayboras)
* cilium-dbg: add Envoy admin commands (Backport PR #34495, Upstream PR #34398, @mhofstetter)
* docs: Avoid using wildcard TLS certificate (Backport PR #34829, Upstream PR #34609, @sayboras)
* docs: Improve Ingress documentation (Backport PR #34369, Upstream PR #33698, @youngnick)
* docs: Improve Ingress documentation (Backport PR #34459, Upstream PR #33698, @youngnick)
* Documentation: Update readthedocs configuration (Backport PR #34364, Upstream PR #34190, @joestringer)
* fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR #34459, Upstream PR #34372, @Artyop)
* images: fix path script (Backport PR #34766, Upstream PR #34764, @aanm)
* ipsec: Document a new cause of XfrmInStateProtoError (Backport PR #34495, Upstream PR #34221, @jschwinger233)

**Other Changes:**
* [v1.14] CODEOWNERS: switch cilium/tophat to cilium/committers (cilium/cilium#34888, @julianwiedmann)
* [v1.14] envoy: Bump envoy version from v1.29.7 to v1.29.9 (cilium/cilium#34963, @sayboras)
* [v1.14] envoy: Switch to image with timestamp tag (cilium/cilium#34393, @sayboras)
* envoy: Bump golang version (cilium/cilium#34329, @sayboras)
* install: Update image digests for v1.14.14 (cilium/cilium#34377, @cilium-release-bot[bot])


## Docker Manifests

### cilium

`docker.io/cilium/cilium:v1.14.15@sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d`
`quay.io/cilium/cilium:v1.14.15@sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d`

### clustermesh-apiserver

`docker.io/cilium/clustermesh-apiserver:v1.14.15@sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b`
`quay.io/cilium/clustermesh-apiserver:v1.14.15@sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b`

### docker-plugin

`docker.io/cilium/docker-plugin:v1.14.15@sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f`
`quay.io/cilium/docker-plugin:v1.14.15@sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f`

### hubble-relay

`docker.io/cilium/hubble-relay:v1.14.15@sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7`
`quay.io/cilium/hubble-relay:v1.14.15@sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7`

### kvstoremesh

`docker.io/cilium/kvstoremesh:v1.14.15@sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0`
`quay.io/cilium/kvstoremesh:v1.14.15@sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0`

### operator-alibabacloud

`docker.io/cilium/operator-alibabacloud:v1.14.15@sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd`
`quay.io/cilium/operator-alibabacloud:v1.14.15@sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd`

### operator-aws

`docker.io/cilium/operator-aws:v1.14.15@sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175`
`quay.io/cilium/operator-aws:v1.14.15@sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175`

### operator-azure

`docker.io/cilium/operator-azure:v1.14.15@sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668`
`quay.io/cilium/operator-azure:v1.14.15@sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668`

### operator-generic

`docker.io/cilium/operator-generic:v1.14.15@sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870`
`quay.io/cilium/operator-generic:v1.14.15@sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870`

### operator

`docker.io/cilium/operator:v1.14.15@sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f`
`quay.io/cilium/operator:v1.14.15@sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f`