From 9755ad92421c85f17b1160a7c7188784ce005f88 Mon Sep 17 00:00:00 2001
From: Joe Stringer <joe@cilium.io>
Date: Thu, 31 Aug 2023 10:33:32 -0700
Subject: [PATCH] Revert "Prepare for release v1.15.0-pre.0"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 6375d28442800ec27a139d6b4779aa9ff87bd84e.

Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: Joe Stringer <joe@cilium.io>
---
 CHANGELOG.md                          | 444 --------------------------
 Documentation/helm-values.rst         |  32 +-
 VERSION                               |   2 +-
 install/kubernetes/cilium/Chart.yaml  |   4 +-
 install/kubernetes/cilium/README.md   |  34 +-
 install/kubernetes/cilium/values.yaml |  56 ++--
 6 files changed, 64 insertions(+), 508 deletions(-)
 delete mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
deleted file mode 100644
index 103bbe0667547..0000000000000
--- a/CHANGELOG.md
+++ /dev/null
@@ -1,444 +0,0 @@
-# Changelog
-
-## v1.15.0-pre.0
-
-Summary of Changes
-------------------
-
-**Major Changes:**
-* Add support for k8s 1.28 (#27361, @aanm)
-* bgpv1: Add `bgp/routes` API endpoint and `cilium bgp routes` CLI command (#27182, @rastislavs)
-* Introduce ability to specify SAFI/AFI for specific BGP peers. (#26940, @ldelossa)
-* Module Health: Node Manager: First Iteration (#25994, @tommyp1ckles)
-
-**Minor Changes:**
-* *_kvstore_operations_duration_seconds metrics do not include client-side rate-limiting latency anymore. (#27396, @marseel)
-* .github/workflows: don't error out if pkill finds no processes (#26357, @lmb)
-* .github: dump buddyinfo and pagetypeinfo when ci-e2e fails (#26600, @lmb)
-* Add `cilium bpf auth flush` command for debugging purposes (#27216, @meyskens)
-* Add an option to specify a filters and field mask for hubble-exporter (#26379, @AwesomePatrol)
-* Add documentation of Hubble exporter - an option to save Hubble flows to a file (#27610, @AwesomePatrol)
-* Add per-controller success/failure count metrics and a config option for these (#26850, @asauber)
-* Add Prometheus map pressure metrics for NAT maps (#27001, @derailed)
-* Add securityContext for spire pod in helm chart (#27363, @ishuar)
-* Add source and destination workload_kind context labels (Hubble). (#27350, @marqc)
-* Add SPIRE connection to `cilium status` (#26896, @meyskens)
-* Add strict mode for WireGuard Pod2Pod encryption (#21856, @3u13r)
-* Added the EnableHealthCheckLoadBalancerIP flag to address health checks on LoadBalancerIP in Google Cloud Platform using KubeProxyReplacement. (#26728, @nberlee)
-* api: Add extensions field to observer.GetFlowsRequest and flow.Flows types (#27577, @chancez)
-* Augments `cilium status` CLI to report on agent modules health status. (#25714, @derailed)
-* bpf: allow overriding Makefile variables (#27492, @lmb)
-* bpf: compile test ENABLE_EGRESS_GATEWAY_COMMON (#27515, @lmb)
-* bpf: gate egressgw datapath on separate defines (#27189, @lmb)
-* bpgv1: move the internal BGP signaler to a cell and allow other cells to depend on it. (#26745, @ldelossa)
-* Change the Helm values configuration for SPIRE to match other images in the Helm charts (#27621, @weizhoublue)
-* cilium/cmd: make output of 'cilium policy selectors' sorted. (#27803, @tommyp1ckles)
-* cilium: export intermediate cobra.Commands (#26265, @lmb)
-* cilium: use absolute path to include Makefile.defs (#27054, @lmb)
-* cli: Update `cilium policy import` to allow policy replacement by label (#27103, @deverton-godaddy)
-* clustermesh-apiserver deployment support lifecycle and terminationGracePeriodSeconds. (#26945, @acgs771126)
-* daemon: Do not require native routing CIDR if ipmasq-agent is enabled (#27747, @gandro)
-* docs, cilium: Remove `cilium endpoint regenerate` command (#27326, @christarazi)
-* egressgw: inject datapath config via hive (#27414, @lmb)
-* egressgw: refactor check for conflicting egress IPs (#27491, @lmb)
-* egressgw: tidy up Config handling (#27221, @lmb)
-* endpoint, endpointmanager: Publish max policymap size as metric (#27367, @christarazi)
-* envoy: Bump envoy to 1.26.2 (#26851, @sayboras)
-* envoy: Bump envoy version to v1.26.4 (#27104, @sayboras)
-* envoy: Update envoy version to the latest build (#27819, @jrajahalme)
-* Extend AWS metadata-based policy enforcement to work with any VPC-enabled service. (#27071, @spacepants)
-* Fix LookupReservedIdentityByLabels function to return consistent results (#26795, @skmatti)
-* gateway-api: Bump version to v0.8.0-rc1 (#27592, @sayboras)
-* Hubble: improve security by adding an option to redact API key in Kafka requests (L7) (#25844, @ioandr)
-* hubble: replace deprecated usage of grpc.WithInsecure. (#25631, @tommyp1ckles)
-* Increase number of dnsproxy mutexes from 128 to 131. (#27147, @marseel)
-* ipam, metrics: Add new capacity metric (#27710, @christarazi)
-* Modular daemon and operator (#25986, @pippolo84)
-* Refactor hubble redact settings schema (#26989, @ChrsMark)
-* Refactor hubble redact settings schema [v2] (#27553, @ChrsMark)
-* Remove deprecate clustermesh CA configuration from the helm chart (#27162, @giorio94)
-* When BGP control plane is enabled and configured for service announcements, it will only advertise a matching service that has an unspecified loadbalancerClass or set for "io.cilium/bgp-control-plane". (#26905, @danehans)
-
-**Bugfixes:**
-* Add a 5 second timeout to the Mutual Auth TCP handshake (#26650, @meyskens)
-* bgpv1: fix manager_test.go build error (#27543, @ldelossa)
-* bpf: nat: set .from_local_endpoint for all inter-cluster SNAT traffic (#26853, @julianwiedmann)
-* bpf: nodeport: add RevDNAT-based FIB lookup for reply traffic (#26638, @julianwiedmann)
-* bug: In dual-stack mode (both IPv4 and IPv6 are enabled), Cilium incorrectly converted CIDRs that covered all possible addresses for an IP Family (e.g. 0.0.0.0/0) to the "reserved:world" entity. Both IP families must be completely covered for "reserved:world" to apply. This resulted in dual-stack mode network policies that could not distinguish between world IPv4 and IPv6 traffic, treating them as one entity instead. (#22625, @nathanjsweet)
-* cleanup: can clean the bpf filters created by the cilium agent with lower version (#27373, @sofat1989)
-* Do mutual authentication handshake again if mismatch between bpf map and cached map happens (#27241, @meyskens)
-* egressgw: policy: ensure egressGateway field is not nil (#27802, @jibi)
-* envoy: fix init order between accesslog and xDS server (#27617, @mhofstetter)
-* Fix a bug that could cause an incorrect max. sequence number to be reported by `cilium encrypt status` when IPsec is enabled. (#27656, @pchaigno)
-* Fix cilium-envoy ServiceMonitor port name (#27207, @pixiono)
-* Fix connection disruption for IPsec during downgrade to v1.14 by attaching correct bpf program to devices. (#27480, @jschwinger233)
-* Fix connectivity issues caused by missing conntrack entry when service pod connects to itself via clusterIP. (#27602, @julianwiedmann)
-* Fix endpoint logger not formatting logs as JSON when daemon log format is set to JSON (#27263, @leblowl)
-* Fix Gateway managed services not exposing all ports (#27695, @Managarmrr)
-* Fix possible cross-cluster connection drops on agents restart when clustermesh is enabled (#27575, @giorio94)
-* Fix potential cross-node connectivity issue when IPsec is enabled with ENI or Azure IPAM modes. (#26663, @gandro)
-* Fixes a issue that IPsec key rotation can't be triggered. (#27694, @jschwinger233)
-* Fixes an issue where an empty ControlPlaneState was used during registration of BGP speakers. This would cause reconciliation issues as the current state would be unknown. (#27117, @ldelossa)
-* Handle `.status.conditions` on `Service`s using in accordance with KEP-1623 (#27399, @addreas)
-* health: Update Cilium agent to listen on nodeip (#26845, @tamilmani1989)
-* helm: fix envoy daemonset loglevel with multiple verbose debug groups (#27698, @mhofstetter)
-* ingress: fix panic on ingress rule without HTTPIngressRule (#27818, @mhofstetter)
-* ipam: when a CiliumNode is removed, delete node label from metrics. (#27713, @tommyp1ckles)
-* metrics: fix potential conflict on metrics registration (#27007, @ysksuzuki)
-* Prioritization of which DNS mappings to keep was suboptimal, leading to evictions of mappings related to alive connections, worsening performance of fqdn policies and causing spurious logging. (#27572, @bimmlerd)
-* proxy: fix multiple envoy listeners for same proxyType (#27510, @mhofstetter)
-* Read FQDNRejectResponseCode from config (#27362, @ayuspin)
-* spire: add scheduling configurations to helm-chart (#27229, @tvonhacht-apple)
-
-**CI Changes:**
-* .github: Remove Loki action (#26676, @joestringer)
-* Add missing ariane trigger phrases (#27822, @tklauser)
-* bpf/tests: Cover IPsec key rotations (#27185, @pchaigno)
-* bpf: test: pktgen cleanups (#26776, @julianwiedmann)
-* bpf: tests: add helpers for boilerplate code (#27429, @julianwiedmann)
-* bpf: tests: add helpers for common patterns (#27134, @julianwiedmann)
-* bpf: tests: improve CT checks for observed TCP flags (#26802, @julianwiedmann)
-* build(deps): bump tornado from 6.2 to 6.3.3 in /Documentation (#27497, @dependabot[bot])
-* ci-ginkgo: conditionally skip fetching artifacts & junit report (#27081, @mhofstetter)
-* ci-gke: adjust junit file names to matrix properties (#27072, @mhofstetter)
-* CI: Add conn-disrupt-test action for reuse (#27567, @jschwinger233)
-* CI: Add IPsec key rotation test (#27203, @jschwinger233)
-* ci: add scheduled runs for Ariane workflows (#27687, @nbusseneau)
-* ci: Automate generation and update of docs-builder image (#24121, @qmonnet)
-* ci: fix checking `github.event.pull_request.head.sha` (#26775, @mhofstetter)
-* ci: increase junit artifact retention from 2 to 5 days (#27021, @mhofstetter)
-* CI: Move IPsec CI jobs into separate pipelines (#26730, @jschwinger233)
-* CI: Rename workflow names (#27391, @brlbil)
-* ci: replace GHA action Sibz/github-status-action (#26976, @mhofstetter)
-* ci: Run documentation workflow on README.rst updates (#26559, @qmonnet)
-* ci: upload and publish JUnit test results for conformance-multi-pool (#27025, @mhofstetter)
-* ci: use env variable to store branch name (#26779, @ferozsalam)
-* datapath: Cover subnet encryption in XFRM leak test (#27212, @pchaigno)
-* datapath: Fix TestNodeChurnXFRMLeaks (#27274, @brb)
-* Disable the images digest when pushing the development helm chart (#27646, @giorio94)
-* egressgw: back out test for policy conflict in ENI mode (#27432, @julianwiedmann)
-* Extend Integration Test timeout (#27811, @YutaroHayakawa)
-* Fix container scanning workflow (#26542, @ferozsalam)
-* gh/actions: Customize cilium-config (#27416, @brb)
-* gh/workflows: Fix setting endpoint routes in ci-e2e (#27384, @brb)
-* Improve service unit test robustness (#26212, @strudelPi)
-* ingress: Add conformance test for KPR=false (#27304, @sayboras)
-* ipam: Fix race in NodeManager.Resync (#26963, @jaffcheng)
-* jenkinsfiles: remove kubernetes upstream (#27349, @aanm)
-* k8s: Replace generate-internal-groups.sh script (#27591, @sayboras)
-* Make ci-ipsec-upgrade a part of /test (#27557, @jschwinger233)
-* make: drop redundant `go vet ./...` from integration tests (#26565, @tklauser)
-* node: Integration test for XFRM leaks on node churn (#27187, @pchaigno)
-* Remove validation timeout in controlplane testing (#26414, @pippolo84)
-* renovate: Pin cilium-cli version for <v1.14 (#26716, @michi-covalent)
-* Revert quarantine k8s datapath services test (#26400, @marseel)
-* update upgrade tests to test from v1.14.0 to main (#27114, @aanm)
-
-**Misc Changes:**
-* .clang-format: Re-write and re-license .clang-format (#26640, @qmonnet)
-* .github: add Dockerfile for hubble-relay image in Renovate config (#27404, @aanm)
-* .github: add workflow to track replied issues (#27283, @aanm)
-* .github: do not upgrade ubuntu runner for integration tests (#27829, @aanm)
-* .github: fix renovate config (#27727, @aanm)
-* .github: Remove master mirror (#25806, @joestringer)
-* .github: Remove remaining references to v1.11 (#26681, @joestringer)
-* .github: use kindest/node instead of quay.io/cilium/kindest-node (#27729, @aanm)
-* .github: write the right regex for little-vm-images versioning (#27390, @aanm)
-* Add a troubleshooting Gateway API part of the documentation (#25945, @meyskens)
-* Add Berops to `USERS.md` (#27483, @bernardhalas)
-* Add checks to avoid use of logrus WithFields function in hot paths (#26327, @learnitall)
-* Add deepcopy plugin (#26978, @AwesomePatrol)
-* Add docs on first and last IP of LB-IPAM pool (#27110, @darox)
-* Add G DATA CyberDefense AG as user (#27316, @farodin91)
-* Add guidance for bumping the Golang version in Cilium (#26789, @ferozsalam)
-* add links to enterprise support and slack to the issues page for easier discoverability (#26551, @xmulligan)
-* add lint-go to merge queue check (#27542, @aanm)
-* Add metrics for LB-IPAM (#26173, @dylandreimerink)
-* Add note to the quick install documentation for increasing inotify limits (#27140, @leblowl)
-* Add prerelease-testing issue template (#27766, @jspaleta)
-* Add script to run GitHub ginkgo workflow locally (#26540, @qmonnet)
-* add Twilio to Users list (#27755, @michaelsaah)
-* Add workload label context (hubble metrics). (#25667, @marqc)
-* Added metrics for jobs (#26077, @dylandreimerink)
-* alibabacloud: Allocate from vswitches with the most IP addresses (#27696, @jaffcheng)
-* Allow Golang bump to v1.20 on Cilium v1.12 and v1.13 (#27434, @ferozsalam)
-* auth: depend on nodeIDHandler directly (#27106, @mhofstetter)
-* bgp: fix up formatting in CiliumBGPPeeringPolicy (#27219, @julianwiedmann)
-* bgpv1: Add GetRoutes method to Router interface and generic Path type (#26803, @rastislavs)
-* bgpv1: Use Path type in AdvertisePath & WithdrawPath (#27223, @rastislavs)
-* bpf: avoid calculating L4 offset (#27313, @julianwiedmann)
-* bpf: ct: clean up tuple swapping for forward lookups (#26826, @julianwiedmann)
-* bpf: ct: clean up unused .seen_non_syn flag for ICMP entries (#26754, @julianwiedmann)
-* bpf: ct: document some unused fields in ct_entry struct (#27692, @julianwiedmann)
-* bpf: ct: simplify ct_action parameter for CT lookup (#26527, @julianwiedmann)
-* bpf: dsr: don't track ifindex of ingress interface (#27528, @julianwiedmann)
-* bpf: dsr: ensure that Geneve options have correct size (#26707, @julianwiedmann)
-* bpf: dsr: merge Ingress tail-calls into nodeport_lb*() (#27267, @julianwiedmann)
-* bpf: exclude EgressGW logic in bpf_overlay (#26611, @julianwiedmann)
-* bpf: install proxy routes using Go, remove init.sh (#27445, @ti-mo)
-* bpf: lxc: clarify kube-proxy workaround in to-container path (#27604, @julianwiedmann)
-* bpf: lxc: cleanups (#27044, @julianwiedmann)
-* bpf: lxc: remove unused IPv6 loopback code (#27601, @julianwiedmann)
-* bpf: minor ICMPv6 improvements (#26563, @julianwiedmann)
-* bpf: minor loopback cleanups (#27764, @julianwiedmann)
-* bpf: nat: Handle errors from snat_v(4|6)_prepare_state() (#26501, @qmonnet)
-* bpf: nat: improve logic that creates the NAT entries (#26594, @julianwiedmann)
-* bpf: nat: minor improvements (#26520, @julianwiedmann)
-* bpf: nat: share rewrite logic in RevSNAT path (#27366, @julianwiedmann)
-* bpf: nat: small Masquerading improvements (#26848, @julianwiedmann)
-* bpf: nat: SNAT cleanups (#26889, @julianwiedmann)
-* bpf: nat: use common set of rewrite helpers (#27509, @julianwiedmann)
-* bpf: nodeport: consolidate packet rewrite in RevDNAT path (#26852, @julianwiedmann)
-* bpf: nodeport: improve ICMP vs DSR co-existence (#26562, @julianwiedmann)
-* bpf: nodeport: improve tracing for inlined RevDNAT processing (#27191, @julianwiedmann)
-* bpf: nodeport: integrate Ingress RevSNAT and RevDNAT paths (#27488, @julianwiedmann)
-* bpf: overlay: clarify delivery to local host (#27580, @julianwiedmann)
-* bpf: overlay: remove unused code (#27026, @julianwiedmann)
-* bpf: policy: cleanups to reduce program size (#27369, @julianwiedmann)
-* bpf: Rename proxy_identity to src_sec_identity (#27517, @joestringer)
-* bpf: small improvements in TTL / hoplimit handling (#27146, @julianwiedmann)
-* bpf: snat: DSR-eligible traffic can skip check for Nodeport NAT conflict (#26674, @julianwiedmann)
-* bpf: xdp: remove unused XFER_ENCAP_* enums (#27264, @julianwiedmann)
-* build(deps): bump certifi from 2022.12.7 to 2023.7.22 in /Documentation (#27064, @dependabot[bot])
-* build(deps): bump pygments from 2.14.0 to 2.15.0 in /Documentation (#26957, @dependabot[bot])
-* Bump allowed Golang version for v1.11 and v1.12 (#26713, @ferozsalam)
-* Bump controller-tools fork to v0.8.0-1 (#27063, @christarazi)
-* Change makefile cache to rebuild on header changes (#27605, @dylandreimerink)
-* chart: define the envoy image variable in the makefile (#27725, @weizhoublue)
-* chore(deps): pin hramos/needs-attention action to 4d47f33 (main) (#27286, @renovate[bot])
-* chore(deps): update actions/checkout action to v3.5.3 (main) (#26568, @renovate[bot])
-* chore(deps): update all github action dependencies (main) (minor) (#26570, @renovate[bot])
-* chore(deps): update all github action dependencies (main) (minor) (#26821, @renovate[bot])
-* chore(deps): update all github action dependencies (main) (minor) (#27737, @renovate[bot])
-* chore(deps): update all github action dependencies (main) (patch) (#26691, @renovate[bot])
-* chore(deps): update all github action dependencies (main) (patch) (#26819, @renovate[bot])
-* chore(deps): update all github action dependencies (main) (patch) (#27478, @renovate[bot])
-* chore(deps): update all kind-images main (main) (#27477, @renovate[bot])
-* chore(deps): update all kind-images main (main) (patch) (#27479, @renovate[bot])
-* chore(deps): update all lvh-images main (main) (patch) (#27339, @renovate[bot])
-* chore(deps): update all lvh-images main (main) (patch) (#27372, @renovate[bot])
-* chore(deps): update all lvh-images main (main) (patch) (#27421, @renovate[bot])
-* chore(deps): update aws-actions/configure-aws-credentials action to v3 (main) (#27743, @renovate[bot])
-* chore(deps): update cilium/cilium-cli action to v0.15.4 (main) (#26971, @renovate[bot])
-* chore(deps): update cilium/cilium-cli action to v0.15.6 (main) (#27600, @renovate[bot])
-* chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#26974, @renovate[bot])
-* chore(deps): update cilium/little-vm-helper action to v0.0.12 (main) (#27257, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.0 (main) (#26571, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.2 (main) (#26784, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.3 (main) (#26875, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.4 (main) (#27127, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27258, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.5 (main) (#27261, @renovate[bot])
-* chore(deps): update dependency cilium/cilium-cli to v0.15.6 (main) (#27613, @renovate[bot])
-* chore(deps): update dependency google/gops to v0.3.28 (main) (#27412, @renovate[bot])
-* chore(deps): update dependency ubuntu to v22 (main) (#27745, @renovate[bot])
-* chore(deps): update docker.io/library/alpine docker tag to v3.18.3 (main) (#27735, @renovate[bot])
-* chore(deps): update docker.io/library/golang:1.20.5 docker digest to 344193a (main) (#26481, @renovate[bot])
-* chore(deps): update docker.io/library/golang:1.20.6 docker digest to cfc9d1b (main) (#26818, @renovate[bot])
-* chore(deps): update docker.io/library/golang:1.21.0 docker digest to b490ae1 (main) (#27598, @renovate[bot])
-* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 0bced47 (main) (#26689, @renovate[bot])
-* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 6120be6 (main) (#26432, @renovate[bot])
-* chore(deps): update docker.io/library/ubuntu:22.04 docker digest to ec050c3 (main) (#27529, @renovate[bot])
-* chore(deps): update docker/setup-buildx-action action to v2.9.0 (main) (#26694, @renovate[bot])
-* chore(deps): update github/codeql-action action to v2.21.2 (main) (#27265, @renovate[bot])
-* chore(deps): update github/codeql-action action to v2.21.5 (main) (#27734, @renovate[bot])
-* chore(deps): update go to v1.20.6 (main) (patch) (#26781, @renovate[bot])
-* chore(deps): update go to v1.20.7 (main) (patch) (#27259, @renovate[bot])
-* chore(deps): update go to v1.21.0 (main) (minor) (#27444, @renovate[bot])
-* chore(deps): update golangci/golangci-lint docker tag to v1.54.0 (main) (#27385, @renovate[bot])
-* chore(deps): update golangci/golangci-lint docker tag to v1.54.1 (main) (#27538, @renovate[bot])
-* chore(deps): update golangci/golangci-lint docker tag to v1.54.2 (main) (#27619, @renovate[bot])
-* chore(deps): update hubble cli to v0.12.0 (main) (minor) (#26762, @renovate[bot])
-* chore(lint): Enable linting with gosimple (#26965, @mrueg)
-* chore: Use xxx.String() instead of string(xxx.Bytes()) (#26165, @testwill)
-* ci-e2e: Enable debug.verbose for envoy (#26860, @sayboras)
-* ci: fix go mod step name (#27711, @nbusseneau)
-* ci: set timeout on build images workflows (#27341, @mhofstetter)
-* ci: skip cosign / sbom in case of building images during cache rebuild (#26786, @mhofstetter)
-* ci: skip fetching sysdump in case of skipped LB test (#26774, @mhofstetter)
-* ci: skip post-test info gathering in case of skipped cilium installation (#26729, @mhofstetter)
-* cilium, docs: Add a note about KPR and nfs dependencies (#27678, @borkmann)
-* cilium, docs: Add rc.0 to development releases (#26564, @borkmann)
-* cilium, iptables: Extend to cover default route in enable-masquerade-… (#27664, @borkmann)
-* cilium: Add option to masq to source route (#27618, @borkmann)
-* cilium: Fix 16bit ifindex limitation (#27622, @borkmann)
-* clean-up: remove check for permissive CCNPs (#27690, @shawnh2)
-* cleanup: code cleanup to remove unused parameter from repository add api (#26943, @tamilmani1989)
-* clustermesh: make extra ipcache watcher options configurable (#27336, @giorio94)
-* cni: Follow CNI spec by using `(containerID, ifName)` as unique endpoint identifier (#26894, @gandro)
-* cni: log format byte array as string (#26740, @aojea)
-* cocci: Re-license Coccinelle scripts as Apache 2.0 (#26629, @qmonnet)
-* CODEOWNERS: assign bpf/lib/auth.h to sig-servicemesh (#27083, @mhofstetter)
-* CODEOWNERS: assign egressgw control plane/datapath logic to egress-gateway team (#26952, @jibi)
-* CODEOWNERS: assign pkg/backoff to @cilium/sig-agent (#26573, @jibi)
-* codeowners: include sig-servicemesh into cilium envoy & spire helm (#27559, @mhofstetter)
-* CODEOWNERS: remove stale cilium_egress_gateway_policy.go entry (#27234, @giorio94)
-* Computed and propagated the value of OldEndpoints field when merging remote cluster information. (#26474, @akstron)
-* config: Use String instead of StringVar method (#27794, @pippolo84)
-* Configure the linux node config writer through Hive (#27180, @giorio94)
-* contrib: add check for new files in check-(api|k8s)-code-gen scripts (#26790, @giorio94)
-* contrib: Add support for X.Y.Z-pre.N releases (#27807, @joestringer)
-* contrib: fix bump-readme script (#27648, @nebril)
-* contrib: Make hint command copy and paste friendly (#27585, @sayboras)
-* Correct cni path in k3s installation documentation for rancher desktop (#27702, @RichardoC)
-* Creation of the /hello endpoint is delayed until the host datapath has been initialized. (#27392, @lmb)
-* daemon: remove redundant wait on restoreComplete (#27603, @ti-mo)
-* daemon: Use API server cell and adapt handlers (#25000, @joamaki)
-* datapath/linux/probes: remove unused Have{Map,Program}Type wrappers (#26666, @tklauser)
-* datapath: Devices table and controller (#24677, @joamaki)
-* Disable StateDB metrics by default (#27657, @dylandreimerink)
-* Do not log on errant release of reserved identity (#26768, @asauber)
-* doc: Documented pitfall with NS labels in CNPs (#26134, @PhilipSchmid)
-* doc: Improved Cilium ingress annotations table (#26381, @PhilipSchmid)
-* docs: Add Conformance Badge for Gateway API (#27470, @sayboras)
-* docs: Add docs structure recommendations, update style guide (#26632, @qmonnet)
-* docs: Add Keploy to user list (#27244, @Sonichigo)
-* docs: Add missing spelling exception (#26780, @qmonnet)
-* docs: Document Potential Dual-Stack Upgrade Issues for 1.15 (#25204, @nathanjsweet)
-* docs: Fix a typo and improve readability of a control plane architecture description in BGP Control Plane documentation (#27461, @distributethe6ix)
-* Docs: Fix ipam_nodes metric description (#27217, @antonipp)
-* docs: fix minor TOC issues (#26714, @networkop)
-* docs: Fix the typo for SPIRE PVC installation option name (#27503, @haiyuewa)
-* docs: fix typo in troubleshooting guide (#26811, @learnitall)
-* docs: Fix unintentional boolean value in YAML (#26682, @dgl)
-* docs: Improve wording for labels and services policies (#27171, @joestringer)
-* docs: Improve wording in contributions guide (#27407, @joestringer)
-* docs: optimize ingress default tls secret documentation (#26684, @mhofstetter)
-* docs: Split, update, improve the contributing guide for reviewers and committers (#27085, @qmonnet)
-* Document Kind Delve debugging workflow (#26506, @ti-mo)
-* Documentation: Replace netperf images in StarWars demos (#26842, @hhoover)
-* Don't retry one shot jobs during hive shutdown (#27395, @giorio94)
-* Drop mock file support from clustermesh-apiserver (#27825, @giorio94)
-* drop support for 1.11 (#27077, @aanm)
-* egressgw: always set ifaceName in deriveFromPolicyGatewayConfig() (#26973, @julianwiedmann)
-* egressgw: delete stale nexthop routes (#27105, @julianwiedmann)
-* egressgw: detect conflicting configurations in ENI mode (#27281, @julianwiedmann)
-* egressgw: use Resource[T] to consume CiliumEgressGatewayPolicy (#26960, @lmb)
-* egressgw: use route.Upsert() for inserting nexthop / prefix IP route (#26990, @julianwiedmann)
-* Enable strict validation of cluster config for clustermesh (#27246, @giorio94)
-* endpoint/id: simplify TestSplitID (#26581, @tklauser)
-* Endpoint: actually treat identifiers as immutable, remove lock (#26757, @squeed)
-* endpoint: moveNewFilesTo performance and error handling improvements (#26238, @learnitall)
-* endpointmanager: unexport and inline functions only used in the package (#27426, @tklauser)
-* endpointslice: fix EndpointSlice import (#26938, @mhofstetter)
-* envoy: Bump cilium proxy to latest version (#27555, @mhofstetter)
-* envoy: set socket opts only if not already present in CEC (#27531, @mhofstetter)
-* Fix restore of previous router IP due to missing VPC CIDR in Alibabacloud section of CiliumNode Spec (#26843, @haozhangami)
-* Fix spelling for "WireGuard" (#26764, @qmonnet)
-* fix(deps): update all go dependencies main (main) (#26567, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (#27348, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (#27440, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (minor) (#26695, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (minor) (#26822, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (minor) (#27266, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (minor) (#27742, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#26569, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#26693, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#26820, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#27135, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#27260, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#27441, @renovate[bot])
-* fix(deps): update all go dependencies main (main) (patch) (#27736, @renovate[bot])
-* fix(deps): update module github.com/aliyun/alibaba-cloud-sdk-go to v1.62.445 (main) (#26832, @renovate[bot])
-* fix: add check if debug is enabled when adding trace levels to envoy deamonset. (#27161, @dreanor65)
-* fix: platform typo (#27368, @testwill)
-* Fixed conflicting PRs in main (#27209, @dylandreimerink)
-* Fixes: typo (#27201, @weizhoublue)
-* For services with `External Traffic Policy: Local` Service health returns http header "X-Load-Balancing-Endpoint-Weight" with number of local endpoints. The same information is still available in response body JSON payload.LocalEndpoints. (#27017, @cezarygerard)
-* Generalize ClusterID reservation mechanism for clustermesh (#27248, @giorio94)
-* gh: feature template: s/request/proposal (#27023, @julianwiedmann)
-* go.mod, renovate: specify and update Go toolchain version (#27820, @tklauser)
-* go.mod, vendor: use github.com/cilium/dns fork directly (#27582, @tklauser)
-* helm: Fix typo in cilium chart's description (#27389, @nu-wa)
-* helm: Improve debug.verbose docs (#26463, @lgadban)
-* helm: put extraConfig back to the end of ConfigMap cilium-config (#27556, @mhofstetter)
-* helm: Updated description for Helm 'devices' flag (#26557, @PhilipSchmid)
-* Hubble-ui now supports liveness and readiness probes (#27028, @mkilchhofer)
-* images/builder: update dependencies (#27566, @rolinh)
-* Import new version of forked controller-tools (#26918, @AwesomePatrol)
-* improv: check for k8s backing before running sync (#27269, @kwakubiney)
-* Improve documentation for review process for contributors and reviewers (#27324, @joestringer)
-* Improve Hubble decoding performance for drop, debug, policy and tracesock events (#25751, @Jack-R-lantern)
-* Improve Hubble decoding performance for trace events (#24162, @brancz)
-* Improve translation of CIDRGroupRefs (#26369, @pippolo84)
-* init.sh: move netlink device creation to Go (#27082, @rgo3)
-* init.sh: move obsolete bpf_host removal to Go (#26539, @rgo3)
-* Introduce resiliency package (#27614, @derailed)
-* ipam,alibabacloud: Improve event driven instance resync (#25619, @jaffcheng)
-* ipam: remove always-nil NewCIDRRange error return value (#26706, @tklauser)
-* ipcache: Deprecate old API (#27576, @joestringer)
-* ipcache: propagate cluster ID as part of the key (#27337, @giorio94)
-* ipcache: Skip conflict logging for tunnelpeer if native routing (#27331, @christarazi)
-* k8s/apis: refactor CRD registration helpers into a separate package (#26834, @tklauser)
-* kvstore: drop unused deleteInvalidPrefixes variable (#27074, @giorio94)
-* Log endpoint instead of pod names where appropriate (#27427, @tklauser)
-* MAINTAINERS: Add Jussi Mäki (#26603, @michi-covalent)
-* Make it easier to depend on clustermesh types outside of its package (#27242, @giorio94)
-* Make the community team the owner of /USERS.md (#27321, @michi-covalent)
-* make: allow to override values.yaml template name (#27235, @giorio94)
-* Makefile: remove check-go-version target (#27460, @tklauser)
-* maps: do not depend on global variable to initialize CT maps (#27275, @giorio94)
-* maps: maglev_test: remove toleration for 4.9 kernel (#27046, @julianwiedmann)
-* Misc updates in renovate configuration (#27328, @aanm)
-* mlh: disable remove PR to project (#26863, @mhofstetter)
-* mlh: use a regexp to check signed-off-by (#27732, @kaworu)
-* netns: remove unused RemoveIfFromNetNSWithNameIfBothExist (#27411, @tklauser)
-* node: introduce prefix cluster mutator (#27354, @giorio94)
-* nodediscovery: support additional IP address sources for the local node (#27507, @tklauser)
-* Operator: Add missing observability for Azure API calls (#26277, @hemanthmalla)
-* pkg/aws: Improve event driven instance resync for AWS IPAM (#27791, @jaffcheng)
-* pkg/cidr: Move linux specific variable references from netlink (#27638, @aditighag)
-* pkg/policy: Convert benchmarks in resolve_test.go to std benchmarks (#27815, @christarazi)
-* plugins/cilium-cni: cleanups around IPAM allocation and veth pair creation (#26595, @tklauser)
-* plugins/cilium-cni: make error formatting consistent (#27535, @tklauser)
-* plugins/cilium-cni: reduce string allocations of CNI command arguments (#27681, @tklauser)
-* policy: Describe CIDR superset logic for denies and FQDN (#26720, @joestringer)
-* Prepare for release v1.14.0-rc.0 (#26546, @joestringer)
-* Prepare for v1.15 development cycle (#26516, @joestringer)
-* Provide CT/NAT maps GC logic through hive (#27356, @giorio94)
-* proxy: introduce envoy cell (#26657, @mhofstetter)
-* proxy: refactor package global vars to proxy fields (#26619, @mhofstetter)
-* proxy: refactor proxy.CreateOrUpdateRedirect (#26839, @mhofstetter)
-* proxy: remove unused xds resource access timeout (#26747, @mhofstetter)
-* README: Remove v1.11 from stable releases table (#27466, @joestringer)
-* Refactor duplicate imports for Cilium v2alpha1 API (#26620, @dlapcevic)
-* Refactor the per-cluster CT maps manager (#27448, @giorio94)
-* Refactor the per-cluster NAT maps manager (#27430, @giorio94)
-* Refactor watchstore/watchsync metrics (#27485, @marseel)
-* Refactors the use of ControlPlaneState in the BGP-CP (#26992, @ldelossa)
-* Register endpointmanager metrics via dependency injected registry (#26078, @dylandreimerink)
-* relicense test/bpf/unit_test.c to not be GPL (#26618, @Joffref)
-* Remove NodeSpecer and ControlPlaneState from BGP-CP. Rely on Hive/Cell for further ConfigReconciler dependencies. (#27285, @ldelossa)
-* Remove unnecessary type conversions in fqdn zombies handling (#27047, @giorio94)
-* removed unnecessary 'revert' parameter from Newk8sTranslator and updated api calls accordingly. (#26217, @akstron)
-* Removes Unused TransformToNode() Func (#26743, @danehans)
-* renovate: ignore all gops updates (#27631, @tklauser)
-* Replace some usages of fmt.Sprintf with more efficient string concatenation (#27518, @schlosna)
-* Replace StateDB with StateDB2 (#27628, @dylandreimerink)
-* resource: Add support for custom Indexers (#27032, @pippolo84)
-* Revert ".github: write the right regex for little-vm-images versioning" (#27415, @aanm)
-* Revert "Refactor hubble redact settings schema" (#27352, @joamaki)
-* Set RouteMTU for generic veth (#26495, @sugangli)
-* SRv6: Add quality of life methods for SID map usage. (#27192, @ldelossa)
-* statedb v2.0 with per-table locks and delete tracking (#27160, @joamaki)
-* statedb: extract REST API handler to pkg (#26645, @bimmlerd)
-* statedb: Rename statedb2 to statedb (#27643, @joamaki)
-* Support for batch deletion of endpoints (#27351, @tklauser)
-* test/controlplane: Fix hostport test after API change (#26685, @pippolo84)
-* tests: replace more incorrect DeepEquals uses (#25829, @markpash)
-* treewide: wrap multiple errors using the standard library (#26524, @rolinh)
-* typo in the debug document (#27627, @weizhoublue)
-* typo: the clustermesh secret name (#27658, @weizhoublue)
-* Update Palantir usecases (#26633, @ungureanuvladvictor)
-* Update prereleases (#26871, @joestringer)
-* Update renovate configuration for ginkgo and kindest/node (#27347, @aanm)
-* Update stable releases (#27112, @aanm)
-* Update stable releases (#27126, @nathanjsweet)
-* Update stable releases (#27637, @asauber)
-* Update the TCP conntrack entry timeouts to a lower value, so that closed entries are garbage collected earlier, thus freeing up the conntrack map. (#27665, @aditighag)
-* Use generic Set instead of specified Set (#26378, @bzsuni)
-* Use generics in k8s factory functions (#26367, @AwesomePatrol)
-* Use Go 1.19 atomic types (#27563, @tklauser)
-* USERS: Add Trendyol (#26946, @eminaktas)
-* vendor: downgrade github.com/shirou/gopsutil/v3 to v3.23.2 (#27623, @aanm)
-* watchers: use resource for network policies (#26601, @bimmlerd)
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
index 133aa56915593..a28dce943f39a 100644
--- a/Documentation/helm-values.rst
+++ b/Documentation/helm-values.rst
@@ -79,7 +79,7 @@
    * - :spelling:ignore:`authentication.mutual.spire.install.agent.image`
      - SPIRE agent image
      - object
-     - ``{"digest":"sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.6.3","useDigest":true}``
+     - ``{"digest":"sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.6.3","useDigest":true}``
    * - :spelling:ignore:`authentication.mutual.spire.install.agent.labels`
      - SPIRE agent labels
      - object
@@ -103,7 +103,7 @@
    * - :spelling:ignore:`authentication.mutual.spire.install.initImage`
      - init container image of SPIRE agent and server
      - object
-     - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.35.0","useDigest":true}``
+     - ``{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.35.0","useDigest":true}``
    * - :spelling:ignore:`authentication.mutual.spire.install.namespace`
      - SPIRE namespace to install into
      - string
@@ -143,7 +143,7 @@
    * - :spelling:ignore:`authentication.mutual.spire.install.server.image`
      - SPIRE server image
      - object
-     - ``{"digest":"sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.6.3","useDigest":true}``
+     - ``{"digest":"sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.6.3","useDigest":true}``
    * - :spelling:ignore:`authentication.mutual.spire.install.server.initContainers`
      - SPIRE server init containers
      - list
@@ -327,7 +327,7 @@
    * - :spelling:ignore:`certgen`
      - Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually.
      - object
-     - ``{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}``
+     - ``{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}``
    * - :spelling:ignore:`certgen.annotations`
      - Annotations to be added to the hubble-certgen initial Job and CronJob
      - object
@@ -391,7 +391,7 @@
    * - :spelling:ignore:`clustermesh.apiserver.etcd.image`
      - Clustermesh API server etcd image.
      - object
-     - ``{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}``
+     - ``{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"Always","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}``
    * - :spelling:ignore:`clustermesh.apiserver.etcd.init.resources`
      - Specifies the resources for etcd init container in the apiserver
      - object
@@ -427,7 +427,7 @@
    * - :spelling:ignore:`clustermesh.apiserver.image`
      - Clustermesh API server image.
      - object
-     - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.0-pre.0","useDigest":false}``
+     - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}``
    * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.enabled`
      - Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance.
      - bool
@@ -447,7 +447,7 @@
    * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.image`
      - KVStoreMesh image.
      - object
-     - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.15.0-pre.0","useDigest":false}``
+     - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/kvstoremesh-ci","tag":"latest","useDigest":false}``
    * - :spelling:ignore:`clustermesh.apiserver.kvstoremesh.lifecycle`
      - lifecycle setting for the KVStoreMesh container
      - object
@@ -1071,7 +1071,7 @@
    * - :spelling:ignore:`envoy.image`
      - Envoy container image.
      - object
-     - ``{"digest":"sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7","useDigest":true}``
+     - ``{"digest":"sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7","useDigest":true}``
    * - :spelling:ignore:`envoy.livenessProbe.failureThreshold`
      - failure threshold of liveness probe
      - int
@@ -1239,7 +1239,7 @@
    * - :spelling:ignore:`etcd.image`
      - cilium-etcd-operator image.
      - object
-     - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}``
+     - ``{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}``
    * - :spelling:ignore:`etcd.k8sService`
      - If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running.
      - bool
@@ -1491,7 +1491,7 @@
    * - :spelling:ignore:`hubble.relay.image`
      - Hubble-relay container image.
      - object
-     - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.0-pre.0","useDigest":false}``
+     - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}``
    * - :spelling:ignore:`hubble.relay.listenHost`
      - Host to listen to. Specify an empty string to bind to all the interfaces.
      - string
@@ -1719,7 +1719,7 @@
    * - :spelling:ignore:`hubble.ui.backend.image`
      - Hubble-ui backend image.
      - object
-     - ``{"digest":"sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.0","useDigest":true}``
+     - ``{"digest":"sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.0","useDigest":true}``
    * - :spelling:ignore:`hubble.ui.backend.livenessProbe.enabled`
      - Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+)
      - bool
@@ -1759,7 +1759,7 @@
    * - :spelling:ignore:`hubble.ui.frontend.image`
      - Hubble-ui frontend image.
      - object
-     - ``{"digest":"sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.0","useDigest":true}``
+     - ``{"digest":"sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.0","useDigest":true}``
    * - :spelling:ignore:`hubble.ui.frontend.resources`
      - Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
      - object
@@ -1867,7 +1867,7 @@
    * - :spelling:ignore:`image`
      - Agent container image.
      - object
-     - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.0","useDigest":false}``
+     - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}``
    * - :spelling:ignore:`imagePullSecrets`
      - Configure image pull secrets for pulling container images
      - string
@@ -2207,7 +2207,7 @@
    * - :spelling:ignore:`nodeinit.image`
      - node-init image.
      - object
-     - ``{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}``
+     - ``{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}``
    * - :spelling:ignore:`nodeinit.nodeSelector`
      - Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
      - object
@@ -2299,7 +2299,7 @@
    * - :spelling:ignore:`operator.image`
      - cilium-operator image.
      - object
-     - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.0-pre.0","useDigest":false}``
+     - ``{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}``
    * - :spelling:ignore:`operator.nodeGCInterval`
      - Interval for cilium node garbage collection.
      - string
@@ -2487,7 +2487,7 @@
    * - :spelling:ignore:`preflight.image`
      - Cilium pre-flight image.
      - object
-     - ``{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.0","useDigest":false}``
+     - ``{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}``
    * - :spelling:ignore:`preflight.nodeSelector`
      - Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
      - object
diff --git a/VERSION b/VERSION
index d47741b5cbd6d..9a4866bbcedef 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.15.0-pre.0
+1.15.0-dev
diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
index 03632ddc0dc24..5dbd586faf104 100644
--- a/install/kubernetes/cilium/Chart.yaml
+++ b/install/kubernetes/cilium/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.15.0-pre.0
-appVersion: 1.15.0-pre.0
+version: 1.15.0-dev
+appVersion: 1.15.0-dev
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability
diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
index 00295ddc35e80..6a71d8aebd32d 100644
--- a/install/kubernetes/cilium/README.md
+++ b/install/kubernetes/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.15.0-pre.0](https://img.shields.io/badge/Version-1.15.0--pre.0-informational?style=flat-square) ![AppVersion: 1.15.0-pre.0](https://img.shields.io/badge/AppVersion-1.15.0--pre.0-informational?style=flat-square)
+![Version: 1.15.0-dev](https://img.shields.io/badge/Version-1.15.0--dev-informational?style=flat-square) ![AppVersion: 1.15.0-dev](https://img.shields.io/badge/AppVersion-1.15.0--dev-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -69,13 +69,13 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.connectionTimeout | string | `"30s"` | SPIRE connection timeout |
 | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) |
 | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations |
-| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.6.3","useDigest":true}` | SPIRE agent image |
+| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-agent","tag":"1.6.3","useDigest":true}` | SPIRE agent image |
 | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels |
 | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account |
 | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. |
 | authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.35.0","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"Always","repository":"docker.io/library/busybox","tag":"1.35.0","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -85,7 +85,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage |
 | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage |
 | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage |
-| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.6.3","useDigest":true}` | SPIRE server image |
+| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f","override":null,"pullPolicy":"Always","repository":"ghcr.io/spiffe/spire-server","tag":"1.6.3","useDigest":true}` | SPIRE server image |
 | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers |
 | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels |
 | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -131,7 +131,7 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
 | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
-| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
+| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
 | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
 | certgen.extraVolumes | list | `[]` | Additional certgen volumes. |
@@ -147,7 +147,7 @@ contributors across the globe, there is almost always someone available to help.
 | cluster.id | int | `0` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. |
 | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. |
 | clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver |
-| clustermesh.apiserver.etcd.image | object | `{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}` | Clustermesh API server etcd image. |
+| clustermesh.apiserver.etcd.image | object | `{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"Always","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}` | Clustermesh API server etcd image. |
 | clustermesh.apiserver.etcd.init.resources | object | `{}` | Specifies the resources for etcd init container in the apiserver |
 | clustermesh.apiserver.etcd.lifecycle | object | `{}` | lifecycle setting for the etcd container |
 | clustermesh.apiserver.etcd.resources | object | `{}` | Specifies the resources for etcd container in the apiserver |
@@ -156,12 +156,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.0-pre.0","useDigest":false}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/clustermesh-apiserver-ci","tag":"latest","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.15.0-pre.0","useDigest":false}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/kvstoremesh-ci","tag":"latest","useDigest":false}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.lifecycle | object | `{}` | lifecycle setting for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
@@ -317,7 +317,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -359,7 +359,7 @@ contributors across the globe, there is almost always someone available to help.
 | etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. |
 | etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. |
 | etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. |
-| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. |
+| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. |
 | etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. |
 | etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods |
@@ -422,7 +422,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.0-pre.0","useDigest":false}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-relay-ci","tag":"latest","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -479,7 +479,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
 | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
 | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
-| hubble.ui.backend.image | object | `{"digest":"sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.0","useDigest":true}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"digest":"sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.0","useDigest":true}` | Hubble-ui backend image. |
 | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
 | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
@@ -489,7 +489,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
 | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
 | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
-| hubble.ui.frontend.image | object | `{"digest":"sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.0","useDigest":true}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"digest":"sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.0","useDigest":true}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
 | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@@ -516,7 +516,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.0","useDigest":false}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -601,7 +601,7 @@ contributors across the globe, there is almost always someone available to help.
 | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
 | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
 | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
-| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. |
+| nodeinit.image | object | `{"override":null,"pullPolicy":"Always","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. |
 | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
 | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
@@ -624,7 +624,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.0-pre.0","useDigest":false}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/operator","suffix":"-ci","tag":"latest","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -671,7 +671,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.0","useDigest":false}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"Always","repository":"quay.io/cilium/cilium-ci","tag":"latest","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
index 10bd8addaefc0..7a869280caf4e 100644
--- a/install/kubernetes/cilium/values.yaml
+++ b/install/kubernetes/cilium/values.yaml
@@ -143,9 +143,9 @@ rollOutCiliumPods: false
 # -- Agent container image.
 image:
   override: ~
-  repository: "quay.io/cilium/cilium"
-  tag: "v1.15.0-pre.0"
-  pullPolicy: "IfNotPresent"
+  repository: "quay.io/cilium/cilium-ci"
+  tag: "latest"
+  pullPolicy: "Always"
   # cilium-digest
   digest: ""
   useDigest: false
@@ -945,7 +945,7 @@ certgen:
     tag: "v0.1.9"
     digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f"
     useDigest: true
-    pullPolicy: "IfNotPresent"
+    pullPolicy: "Always"
   # -- Seconds after which the completed job pod will be deleted
   ttlSecondsAfterFinished: 1800
   # -- Labels to be added to hubble-certgen pods
@@ -1140,12 +1140,12 @@ hubble:
     # -- Hubble-relay container image.
     image:
       override: ~
-      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.15.0-pre.0"
+      repository: "quay.io/cilium/hubble-relay-ci"
+      tag: "latest"
        # hubble-relay-digest
       digest: ""
       useDigest: false
-      pullPolicy: "IfNotPresent"
+      pullPolicy: "Always"
 
     # -- Specifies the resources for the hubble-relay pods
     resources: {}
@@ -1366,7 +1366,7 @@ hubble:
         tag: "v0.12.0"
         digest: "sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e"
         useDigest: true
-        pullPolicy: "IfNotPresent"
+        pullPolicy: "Always"
 
       # -- Hubble-ui backend security context.
       securityContext: {}
@@ -1405,7 +1405,7 @@ hubble:
         tag: "v0.12.0"
         digest: "sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f"
         useDigest: true
-        pullPolicy: "IfNotPresent"
+        pullPolicy: "Always"
 
       # -- Hubble-ui frontend security context.
       securityContext: {}
@@ -1904,7 +1904,7 @@ envoy:
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
     tag: "v1.26.4-5a76016dde9a7b4d537f37e3ef84593ea1af87c7"
-    pullPolicy: "IfNotPresent"
+    pullPolicy: "Always"
     digest: "sha256:dbcb20bb208eb0031991f5c234eb6de567f95ebd814520dcbfda868b7c1af210"
     useDigest: true
 
@@ -2188,7 +2188,7 @@ etcd:
     tag: "v2.0.7"
     digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc"
     useDigest: true
-    pullPolicy: "IfNotPresent"
+    pullPolicy: "Always"
 
   # -- The priority class to use for cilium-etcd-operator
   priorityClassName: ""
@@ -2290,7 +2290,7 @@ operator:
   image:
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.15.0-pre.0"
+    tag: "latest"
     # operator-generic-digest
     genericDigest: ""
     # operator-azure-digest
@@ -2300,8 +2300,8 @@ operator:
     # operator-alibabacloud-digest
     alibabacloudDigest: ""
     useDigest: false
-    pullPolicy: "IfNotPresent"
-    suffix: ""
+    pullPolicy: "Always"
+    suffix: "-ci"
 
   # -- Number of replicas to run for the cilium-operator deployment
   replicas: 2
@@ -2489,7 +2489,7 @@ nodeinit:
     override: ~
     repository: "quay.io/cilium/startup-script"
     tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f"
-    pullPolicy: "IfNotPresent"
+    pullPolicy: "Always"
 
   # -- The priority class to use for the nodeinit pod.
   priorityClassName: ""
@@ -2576,12 +2576,12 @@ preflight:
   # -- Cilium pre-flight image.
   image:
     override: ~
-    repository: "quay.io/cilium/cilium"
-    tag: "v1.15.0-pre.0"
+    repository: "quay.io/cilium/cilium-ci"
+    tag: "latest"
     # cilium-digest
     digest: ""
     useDigest: false
-    pullPolicy: "IfNotPresent"
+    pullPolicy: "Always"
 
   # -- The priority class to use for the preflight pod.
   priorityClassName: ""
@@ -2726,12 +2726,12 @@ clustermesh:
     # -- Clustermesh API server image.
     image:
       override: ~
-      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.15.0-pre.0"
+      repository: "quay.io/cilium/clustermesh-apiserver-ci"
+      tag: "latest"
       # clustermesh-apiserver-digest
       digest: ""
       useDigest: false
-      pullPolicy: "IfNotPresent"
+      pullPolicy: "Always"
 
     etcd:
       # -- Clustermesh API server etcd image.
@@ -2741,7 +2741,7 @@ clustermesh:
         tag: "v3.5.4"
         digest: "sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3"
         useDigest: true
-        pullPolicy: "IfNotPresent"
+        pullPolicy: "Always"
 
       # -- Specifies the resources for etcd container in the apiserver
       resources: {}
@@ -2776,12 +2776,12 @@ clustermesh:
       # -- KVStoreMesh image.
       image:
         override: ~
-        repository: "quay.io/cilium/kvstoremesh"
-        tag: "v1.15.0-pre.0"
+        repository: "quay.io/cilium/kvstoremesh-ci"
+        tag: "latest"
         # kvstoremesh-digest
         digest: ""
         useDigest: false
-        pullPolicy: "IfNotPresent"
+        pullPolicy: "Always"
 
       # -- Additional KVStoreMesh arguments.
       extraArgs: []
@@ -3173,7 +3173,7 @@ authentication:
           tag: "1.35.0"
           digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b"
           useDigest: true
-          pullPolicy: "IfNotPresent"
+          pullPolicy: "Always"
         # SPIRE agent configuration
         agent:
           # -- SPIRE agent image
@@ -3183,7 +3183,7 @@ authentication:
             tag: "1.6.3"
             digest: "sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823"
             useDigest: true
-            pullPolicy: "IfNotPresent"
+            pullPolicy: "Always"
           # -- SPIRE agent service account
           serviceAccount:
             create: true
@@ -3205,7 +3205,7 @@ authentication:
             tag: "1.6.3"
             digest: "sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f"
             useDigest: true
-            pullPolicy: "IfNotPresent"
+            pullPolicy: "Always"
           # -- SPIRE server service account
           serviceAccount:
             create: true