helm: bump Cilium version to v1.15.19-edg.0 (#3894)

* helm: generate cilium * helm: update cilium ref
2025-08-05 05:24:16 -04:00 · 2025-08-01 14:48:51 +02:00 · 2025-08-01 14:48:51 +02:00 · f35ac667b7
commit f35ac667b7
parent 050c6a22c3
16 changed files with 294 additions and 55 deletions
--- a/internal/constellation/helm/BUILD.bazel
+++ b/internal/constellation/helm/BUILD.bazel
@ -474,6 +474,7 @@ go_library(
        "charts/coredns/templates/service.yaml",
        "charts/coredns/templates/serviceaccount.yaml",
        "charts/aws-load-balancer-controller/templates/hpa.yaml",
+        "charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml",
    ],
    importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
    visibility = ["//:__subpackages__"],
--- a/internal/constellation/helm/charts/cilium/Chart.yaml
+++ b/internal/constellation/helm/charts/cilium/Chart.yaml
@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.15.8-edg.0
-appVersion: 1.15.8-edg.0
+version: 1.15.19-edg.0
+appVersion: 1.15.19-edg.0
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
--- a/internal/constellation/helm/charts/cilium/README.md
+++ b/internal/constellation/helm/charts/cilium/README.md
@ -1,6 +1,6 @@
 # cilium

-![Version: 1.15.8](https://img.shields.io/badge/Version-1.15.8-informational?style=flat-square) ![AppVersion: 1.15.8](https://img.shields.io/badge/AppVersion-1.15.8-informational?style=flat-square)
+![Version: 1.15.19](https://img.shields.io/badge/Version-1.15.19-informational?style=flat-square) ![AppVersion: 1.15.19](https://img.shields.io/badge/AppVersion-1.15.19-informational?style=flat-square)

 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:7edf5efe6b86dbf01ccc3c76b32a37a8e23b84e6bad81ce8ae8c221fa456fda8","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@ -143,7 +143,7 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
 | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
-| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:40cdac65aa6ee86c16ce107f8726c4b55ce6654d07bbdf490db6bd492587bf54","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.14","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
+| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:28511366bb5dc99b6ec424dc87399945714d57a586194658d9e2316ba3db4d04","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.19","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.affinity | object | `{}` | Affinity for certgen |
 | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
 | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
@ -171,7 +171,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.8","useDigest":false}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.19","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@ -338,7 +338,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:318eff387835ca2717baab42a84f35a83a5f9e7d519253df87269f80b9ff0171","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@ -451,12 +451,12 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. |
 | hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service, must match the hubble.listenAddress' port. |
 | hubble.preferIpv6 | bool | `false` | Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. |
-| hubble.redact | object | `{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":false}}` | Enables redacting sensitive information present in Layer 7 flows. |
+| hubble.redact | object | `{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":true}}` | Enables redacting sensitive information present in Layer 7 flows. |
 | hubble.redact.http.headers.allow | list | `[]` | List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example:   redact:     enabled: true     http:       headers:         allow:           - traceparent           - tracestate           - Cache-Control  You can specify the options from the helm CLI:   --set hubble.redact.enabled="true"   --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" |
 | hubble.redact.http.headers.deny | list | `[]` | List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example:   redact:     enabled: true     http:       headers:         deny:           - Authorization           - Proxy-Authorization  You can specify the options from the helm CLI:   --set hubble.redact.enabled="true"   --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" |
 | hubble.redact.http.urlQuery | bool | `false` | Enables redacting URL query (GET) parameters. Example:    redact:     enabled: true     http:       urlQuery: true  You can specify the options from the helm CLI:    --set hubble.redact.enabled="true"   --set hubble.redact.http.urlQuery="true" |
 | hubble.redact.http.userInfo | bool | `true` | Enables redacting user info, e.g., password when basic auth is used. Example:    redact:     enabled: true     http:       userInfo: true  You can specify the options from the helm CLI:    --set hubble.redact.enabled="true"   --set hubble.redact.http.userInfo="true" |
-| hubble.redact.kafka.apiKey | bool | `false` | Enables redacting Kafka's API key. Example:    redact:     enabled: true     kafka:       apiKey: true  You can specify the options from the helm CLI:    --set hubble.redact.enabled="true"   --set hubble.redact.kafka.apiKey="true" |
+| hubble.redact.kafka.apiKey | bool | `true` | Enables redacting Kafka's API key. Example:    redact:     enabled: true     kafka:       apiKey: true  You can specify the options from the helm CLI:    --set hubble.redact.enabled="true"   --set hubble.redact.kafka.apiKey="true" |
 | hubble.relay.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for hubble-replay |
 | hubble.relay.annotations | object | `{}` | Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) |
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
@ -466,7 +466,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.8","useDigest":false}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.19","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@ -524,7 +524,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
 | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
 | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
-| hubble.ui.backend.image | object | `{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"digest":"sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.2","useDigest":true}` | Hubble-ui backend image. |
 | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
 | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
@ -534,7 +534,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
 | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
 | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
-| hubble.ui.frontend.image | object | `{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"digest":"sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.2","useDigest":true}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
 | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@ -561,7 +561,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.8","useDigest":false}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.19","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@ -676,7 +676,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.8","useDigest":false}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.19","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@ -727,7 +727,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.8","useDigest":false}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.19","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml
+++ b/internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml
@ -0,0 +1,232 @@
+node:
+  id: "host~127.0.0.1~no-id~localdomain"
+  cluster: "ingress-cluster"
+staticResources:
+  listeners:
+  {{- if .Values.envoy.prometheus.enabled }}
+  - name: "envoy-prometheus-metrics-listener"
+    address:
+      socketAddress:
+        address: {{ .Values.ipv4.enabled | ternary "0.0.0.0" "::" | quote }}
+        portValue: {{ .Values.envoy.prometheus.port }}
+    {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: "::"
+          portValue: {{ .Values.envoy.prometheus.port }}
+    {{- end }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-prometheus-metrics-listener"
+          routeConfig:
+            virtualHosts:
+            - name: "prometheus_metrics_route"
+              domains:
+              - "*"
+              routes:
+              - name: "prometheus_metrics_route"
+                match:
+                  prefix: "/metrics"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/stats/prometheus"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  {{- end }}
+  - name: "envoy-health-listener"
+    address:
+      socketAddress:
+        address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+        portValue: {{ .Values.envoy.healthPort }}
+    {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: "::1"
+          portValue: {{ .Values.envoy.healthPort }}
+    {{- end }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-health-listener"
+          routeConfig:
+            virtual_hosts:
+            - name: "health"
+              domains:
+              - "*"
+              routes:
+              - name: "health"
+                match:
+                  prefix: "/healthz"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/ready"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  clusters:
+  - name: "ingress-cluster"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+  - name: "egress-cluster-tls"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        upstreamHttpProtocolOptions: {}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+    transportSocket:
+      name: "cilium.tls_wrapper"
+      typedConfig:
+        "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+  - name: "egress-cluster"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+  - name: "ingress-cluster-tls"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        upstreamHttpProtocolOptions: {}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+    transportSocket:
+      name: "cilium.tls_wrapper"
+      typedConfig:
+        "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+  - name: "xds-grpc-cilium"
+    type: "STATIC"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    loadAssignment:
+      clusterName: "xds-grpc-cilium"
+      endpoints:
+      - lbEndpoints:
+        - endpoint:
+            address:
+              pipe:
+                path: "/var/run/cilium/envoy/sockets/xds.sock"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        explicitHttpConfig:
+          http2ProtocolOptions: {}
+  - name: "/envoy-admin"
+    type: "STATIC"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    loadAssignment:
+      clusterName: "/envoy-admin"
+      endpoints:
+      - lbEndpoints:
+        - endpoint:
+            address:
+              pipe:
+                path: "/var/run/cilium/envoy/sockets/admin.sock"
+dynamicResources:
+  ldsConfig:
+    apiConfigSource:
+      apiType: "GRPC"
+      transportApiVersion: "V3"
+      grpcServices:
+      - envoyGrpc:
+          clusterName: "xds-grpc-cilium"
+      setNodeOnFirstMessageOnly: true
+    resourceApiVersion: "V3"
+  cdsConfig:
+    apiConfigSource:
+      apiType: "GRPC"
+      transportApiVersion: "V3"
+      grpcServices:
+      - envoyGrpc:
+          clusterName: "xds-grpc-cilium"
+      setNodeOnFirstMessageOnly: true
+    resourceApiVersion: "V3"
+bootstrapExtensions:
+- name: "envoy.bootstrap.internal_listener"
+  typedConfig:
+    "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
+overloadManager:
+  resourceMonitors:
+  - name: "envoy.resource_monitors.global_downstream_max_connections"
+    typedConfig:
+      "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig"
+      max_active_downstream_connections: "50000"
+admin:
+  address:
+    pipe:
+      path: "/var/run/cilium/envoy/sockets/admin.sock"
--- a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml
@ -11,6 +11,7 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 data:
-{{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }}
-
+  # Keep the key name as bootstrap-config.json to avoid breaking changes
+  bootstrap-config.json: |
+    {{- (tpl (.Files.Get "files/cilium-envoy/configmap/bootstrap-config.yaml") .) | fromYaml | toJson | nindent 4 }}
 {{- end }}
--- a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml
@ -26,10 +26,6 @@ spec:
  template:
    metadata:
      annotations:
-        {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
-        prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}"
-        prometheus.io/scrape: "true"
-        {{- end }}
        {{- if .Values.envoy.rollOutPods }}
        # ensure pods roll when configmap updates
        cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }}
--- a/internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl
+++ b/internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl
@ -13,24 +13,12 @@ server {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

-        # CORS
-        add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS";
-        add_header Access-Control-Allow-Origin *;
-        add_header Access-Control-Max-Age 1728000;
-        add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;
-        add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
-        # /CORS
-
        location {{ .Values.hubble.ui.baseUrl }}api {
            {{- if not (eq .Values.hubble.ui.baseUrl "/") }}
            rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break;
            {{- end }}
            proxy_http_version 1.1;
            proxy_pass_request_headers on;
-            proxy_hide_header Access-Control-Allow-Origin;
            {{- if eq .Values.hubble.ui.baseUrl "/" }}
            proxy_pass http://127.0.0.1:8090;
            {{- else }}
--- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml
@ -19,4 +19,9 @@ spec:
  duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
  privateKey:
    rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - client auth
 {{- end }}
--- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml
@ -28,4 +28,9 @@ spec:
  duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
  privateKey:
    rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
 {{- end }}
--- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml
@ -29,4 +29,10 @@ spec:
  duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
  privateKey:
    rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - server auth
+    - client auth
 {{- end }}
--- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml
+++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml
@ -19,4 +19,9 @@ spec:
  duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
  privateKey:
    rotationPolicy: Always
+  isCA: false
+  usages:
+    - signing
+    - key encipherment
+    - client auth
 {{- end }}
--- a/internal/constellation/helm/charts/cilium/values.yaml
+++ b/internal/constellation/helm/charts/cilium/values.yaml
@ -146,7 +146,7 @@ rollOutCiliumPods: false
 image:
  override: ~
  repository: "quay.io/cilium/cilium"
-  tag: "v1.15.8"
+  tag: "v1.15.19"
  pullPolicy: "IfNotPresent"
  # cilium-digest
  digest: ""
@ -981,8 +981,8 @@ certgen:
  image:
    override: ~
    repository: "quay.io/cilium/certgen"
-    tag: "v0.1.14"
-    digest: "sha256:40cdac65aa6ee86c16ce107f8726c4b55ce6654d07bbdf490db6bd492587bf54"
+    tag: "v0.1.19"
+    digest: "sha256:28511366bb5dc99b6ec424dc87399945714d57a586194658d9e2316ba3db4d04"
    useDigest: true
    pullPolicy: "IfNotPresent"
  # -- Seconds after which the completed job pod will be deleted
@ -1157,7 +1157,7 @@ hubble:
      #
      #   --set hubble.redact.enabled="true"
      #   --set hubble.redact.kafka.apiKey="true"
-      apiKey: false
+      apiKey: true

  # -- An additional address for Hubble to listen to.
  # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that
@ -1240,7 +1240,7 @@ hubble:
    image:
      override: ~
      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.15.8"
+      tag: "v1.15.19"
       # hubble-relay-digest
      digest: ""
      useDigest: false
@ -1477,8 +1477,8 @@ hubble:
      image:
        override: ~
        repository: "quay.io/cilium/hubble-ui-backend"
-        tag: "v0.13.1"
-        digest: "sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b"
+        tag: "v0.13.2"
+        digest: "sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15"
        useDigest: true
        pullPolicy: "IfNotPresent"

@ -1516,8 +1516,8 @@ hubble:
      image:
        override: ~
        repository: "quay.io/cilium/hubble-ui"
-        tag: "v0.13.1"
-        digest: "sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6"
+        tag: "v0.13.2"
+        digest: "sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392"
        useDigest: true
        pullPolicy: "IfNotPresent"

@ -2084,9 +2084,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51"
+    tag: "v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68"
    pullPolicy: "IfNotPresent"
-    digest: "sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b"
+    digest: "sha256:318eff387835ca2717baab42a84f35a83a5f9e7d519253df87269f80b9ff0171"
    useDigest: true

  # -- Additional containers added to the cilium Envoy DaemonSet.
@ -2507,7 +2507,7 @@ operator:
  image:
    override: ~
    repository: "quay.io/cilium/operator"
-    tag: "v1.15.8"
+    tag: "v1.15.19"
    # operator-generic-digest
    genericDigest: ""
    # operator-azure-digest
@ -2808,7 +2808,7 @@ preflight:
  image:
    override: ~
    repository: "quay.io/cilium/cilium"
-    tag: "v1.15.8"
+    tag: "v1.15.19"
    # cilium-digest
    digest: ""
    useDigest: false
@ -2970,7 +2970,7 @@ clustermesh:
    image:
      override: ~
      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.15.8"
+      tag: "v1.15.19"
      # clustermesh-apiserver-digest
      digest: ""
      useDigest: false
@ -3428,7 +3428,7 @@ authentication:
          override: ~
          repository: "docker.io/library/busybox"
          tag: "1.36.1"
-          digest: "sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"
+          digest: "sha256:7edf5efe6b86dbf01ccc3c76b32a37a8e23b84e6bad81ce8ae8c221fa456fda8"
          useDigest: true
          pullPolicy: "IfNotPresent"
        # SPIRE agent configuration
--- a/internal/constellation/helm/charts/cilium/values.yaml.tmpl
+++ b/internal/constellation/helm/charts/cilium/values.yaml.tmpl
@ -1154,7 +1154,7 @@ hubble:
      #
      #   --set hubble.redact.enabled="true"
      #   --set hubble.redact.kafka.apiKey="true"
-      apiKey: false
+      apiKey: true

  # -- An additional address for Hubble to listen to.
  # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that
--- a/internal/constellation/helm/generateCilium.sh
+++ b/internal/constellation/helm/generateCilium.sh
@ -21,7 +21,7 @@ git clone \
  --no-checkout \
  --sparse \
  --depth 1 \
-  -b v1.15.8-edg.0 \
+  -b v1.15.19-edg.0 \
  https://github.com/edgelesssys/cilium.git
 cd cilium

--- a/internal/constellation/helm/helm_test.go
+++ b/internal/constellation/helm/helm_test.go
@ -198,7 +198,7 @@ func TestHelmApply(t *testing.T) {
 			if tc.clusterCertManagerVersion != nil {
 				certManagerVersion = *tc.clusterCertManagerVersion
 			}
-			helmListVersion(lister, "cilium", "v1.15.8-edg.0")
+			helmListVersion(lister, "cilium", "v1.15.19-edg.0")
 			helmListVersion(lister, "coredns", "v0.0.0")
 			helmListVersion(lister, "cert-manager", certManagerVersion)
 			helmListVersion(lister, "constellation-services", tc.clusterMicroServiceVersion)
--- a/internal/constellation/helm/loader.go
+++ b/internal/constellation/helm/loader.go
@ -381,18 +381,18 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any,
 		"image": map[string]any{
 			"repository": "ghcr.io/edgelesssys/cilium/cilium",
 			"suffix":     "",
-			"tag":        "v1.15.8-edg.0",
-			"digest":     "sha256:67aedd821a732e9ba3e34d200c389122384b70c05ba9a5ffb6ad813a53f2d4db",
+			"tag":        "v1.15.19-edg.0",
+			"digest":     "sha256:700218a5ffc10473ce9b09d560b8e0e3ed1309a4d57a9273da2ed16e3e1533f3",
 			"useDigest":  true,
 		},
 		"operator": map[string]any{
 			"image": map[string]any{
 				"repository": "ghcr.io/edgelesssys/cilium/operator",
 				"suffix":     "",
-				"tag":        "v1.15.8-edg.0",
+				"tag":        "v1.15.19-edg.0",
 				// Careful: this is the digest of ghcr.io/.../operator-generic!
 				// See magic image manipulation in ./helm/charts/cilium/templates/cilium-operator/_helpers.tpl.
-				"genericDigest": "sha256:dd41e2a65c607ac929d872f10b9d0c3eff88aafa99e7c062e9c240b14943dd2e",
+				"genericDigest": "sha256:5db046fea42cb1239d4eaa0f870d10e77911768a1eaf34c4968488dea93e27c4",
 				"useDigest":     true,
 			},
 			"podDisruptionBudget": map[string]any{