Update properly to cilium v1.16.4

charts/internal/cilium/charts/config/templates/configmap.yaml

@@ -664,6 +664,7 @@ data:
   proxy-xff-num-trusted-hops-ingress: "0"
   proxy-xff-num-trusted-hops-egress: "0"
   proxy-connect-timeout: "2"
+  proxy-initial-fetch-timeout: "30"
   proxy-max-requests-per-connection: "0"
   proxy-max-connection-duration-seconds: "0"
   proxy-idle-timeout-seconds: "60"

charts/internal/cilium/charts/envoy/templates/configmap.yaml

@@ -265,6 +265,7 @@ data:
       },
       "dynamicResources": {
         "ldsConfig": {
+          "initialFetchTimeout": "30s",
           "apiConfigSource": {
             "apiType": "GRPC",
             "transportApiVersion": "V3",
@@ -280,6 +281,7 @@ data:
           "resourceApiVersion": "V3"
         },
         "cdsConfig": {
+          "initialFetchTimeout": "30s",
           "apiConfigSource": {
             "apiType": "GRPC",
             "transportApiVersion": "V3",
@@ -303,14 +305,13 @@ data:
           }
         }
       ],
-      "layeredRuntime": {
-        "layers": [
+      "overload_manager": {
+        "resource_monitors": [
           {
-            "name": "static_layer_0",
-            "staticLayer": {
-              "overload": {
-                "global_downstream_max_connections": 50000
-              }
+            "name": "envoy.resource_monitors.global_downstream_max_connections",
+            "typed_config": {
+              "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+              "max_active_downstream_connections": "50000"
             }
           }
         ]

charts/internal/cilium/charts/hubble-relay/templates/cronjob.yaml

@@ -54,6 +54,7 @@ spec:
                       - signing
                       - key encipherment
                       - server auth
+                      - client auth
                       validity: 26280h
                     - name: hubble-relay-client-certs
                       namespace: kube-system

charts/internal/cilium/charts/hubble-relay/templates/job.yaml

@@ -50,6 +50,7 @@ spec:
                   - signing
                   - key encipherment
                   - server auth
+                  - client auth
                   validity: 26280h
                 - name: hubble-relay-client-certs
                   namespace: kube-system

charts/internal/cilium/charts/operator/templates/clusterrole.yaml

@@ -16,6 +16,15 @@ rules:
   # to automatically delete [core|kube]dns pods so that are starting to being
   # managed by Cilium
   - delete
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  resourceNames:
+    - cilium-config
+  verbs:
+    # allow patching of the configmap to set annotations
+    - patch
 - apiGroups:
   - ""
   resources:

imagevector/images.yaml

@@ -21,7 +21,7 @@ images:
   - name: cilium-envoy
     sourceRepository: github.com/cilium/cilium
     repository: quay.io/cilium/cilium-envoy
-    tag: v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047
+    tag: v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16
     labels:
     - name: 'gardener.cloud/cve-categorisation'
       value:
@@ -86,7 +86,7 @@ images:
   - name: certgen
     sourceRepository: github.com/cilium/certgen
     repository: quay.io/cilium/certgen
-    tag: v0.2.1
+    tag: v0.2.0
     labels:
     - name: 'gardener.cloud/cve-categorisation'
       value: