Update cilium v1.16.6

[kvaps]

Summary by CodeRabbit

• New Features

  • Enhanced proxy configuration with dedicated endpoints for metrics, administration, and health checks.

• Documentation

  • Updated displayed version number and badge to v1.16.6 for improved clarity.

• Chores

  • Upgraded component versions and image digests from v1.16.5 to v1.16.6.
  • Streamlined configuration by removing legacy conditional settings and obsolete CORS directives.
  • Refined formatting of tag filters for clearer configuration management.

[coderabbitai]

Walkthrough

This pull request updates the Cilium package from version 1.16.5 to 1.16.6. The changes include updating version numbers and image digests in key files, modifying Envoy bootstrap configurations by replacing an existing JSON file with a new YAML-based configuration (which defines new listeners and clusters), and cleaning up configuration files by removing deprecated volume mounts and CORS settings. Minor adjustments to string formatting in the ConfigMap are also included.

Changes

File(s)	Change Summary
packages/.../Chart.yaml, packages/.../README.md, packages/.../values.yaml, packages/.../Dockerfile	Updated version numbers from 1.16.5 to 1.16.6 and corresponding image digests for various Cilium components.
packages/.../cilium-envoy/configmap/bootstrap-config.json packages/.../cilium-envoy/configmap/bootstrap-config.yaml	Removed the JSON bootstrap config; introduced a YAML-based config defining new listeners (prometheus, admin, health) and clusters (ingress, egress, xds grpc, etc.).
packages/.../templates/cilium-agent/daemonset.yaml	Removed conditional volume mounts related to the socketLB feature.
packages/.../templates/cilium-configmap.yaml	Changed the join separator for subnet-tags-filter and instance-tags-filter from a space to a comma.
packages/.../templates/cilium-envoy/configmap.yaml	Replaced the JSON-config inclusion with a YAML file converted into JSON format to populate the bootstrap config.
packages/.../templates/hubble-ui/_nginx.tpl	Removed CORS headers and associated conditional logic from the NGINX configuration.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Envoy
    participant MetricsBackend
    participant AdminBackend
    participant HealthBackend

    alt Request is for metrics
        Client->>Envoy: GET /metrics
        Envoy->>MetricsBackend: Route metrics request
        MetricsBackend-->>Envoy: Return metrics data
        Envoy-->>Client: Deliver metrics response
    else Request is for health check
        Client->>Envoy: GET /healthz
        Envoy->>HealthBackend: Check health status
        HealthBackend-->>Envoy: Return health status
        Envoy-->>Client: Deliver health response
    else Other administrative request
        Client->>Envoy: GET /
        Envoy->>AdminBackend: Process admin request
        AdminBackend-->>Envoy: Return admin response
        Envoy-->>Client: Deliver admin response
    end

Loading

Possibly related PRs

• Update Cilium v1.16.4 #493: Updates the appVersion and version fields in the Chart.yaml, similar to the current version bump from 1.16.5 to 1.16.6.
• Update Cilium v1.16.3 #446: Involves comparable changes to the Chart.yaml fields, ensuring consistency in versioning.
• Prepare release v0.24.0 #606: Addresses version updates in container images and configuration files, aligning with the current release efforts.

Suggested labels

enhancement, size:L

Suggested reviewers

• klinch0

Poem

I'm a hop-happy rabbit in the code garden today,
Nibbling on updates as the versions come out to play.
With fresh YAML and cleaner mounts, I dance in delight,
Carrots of code and crisp configs make my day bright.
A playful leap through each diff—oh what a sight!
🐰✨ Happy coding in the burrow of new release light!

Tip

🌐 Web search-backed reviews and chat

• We have enabled web search-based reviews and chat for all users. This feature allows CodeRabbit to access the latest documentation and information on the web.
• You can disable this feature by setting web_search: false in the knowledge_base settings.
• Please share any feedback in the Discord discussion.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml (1)

267-271: Bootstrap Extensions Assessment

The bootstrap extensions block defines an internal listener extension. If this listener is deprecated or no longer required in your setup, consider removing or updating it accordingly. Otherwise, ensure its configuration (especially the typed config) is still supported in the latest Envoy/Cilium release.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 861e6c4 and d74a2d9.

📒 Files selected for processing (10)

• packages/system/cilium/charts/cilium/Chart.yaml (2 hunks)
• packages/system/cilium/charts/cilium/README.md (8 hunks)
• packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json (0 hunks)
• packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml (1 hunks)
• packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml (0 hunks)
• packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml (1 hunks)
• packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml (1 hunks)
• packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl (0 hunks)
• packages/system/cilium/charts/cilium/values.yaml (7 hunks)
• packages/system/cilium/images/cilium/Dockerfile (1 hunks)

💤 Files with no reviewable changes (3)

• packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl
• packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json

✅ Files skipped from review due to trivial changes (3)

• packages/system/cilium/images/cilium/Dockerfile
• packages/system/cilium/charts/cilium/Chart.yaml
• packages/system/cilium/charts/cilium/README.md

🧰 Additional context used

🪛 YAMLlint (1.35.1)

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml

[error] 7-7: syntax error: could not find expected ':'

(syntax)

🔇 Additional comments (22)

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml (2)

515-517: Standardize Subnet Tags Delimiter

The delimiter for joining the subnet tags has been changed from a space to a comma. This update standardizes the output format for the subnet-tags-filter configuration. Please verify that downstream components or documentation expecting comma-separated values are updated accordingly.

---

518-520: Standardize Instance Tags Delimiter

The joining operation for the instance tags now uses a comma instead of a space. This change aligns the format of instance-tags-filter with that of subnet tags and should help ensure consistent parsing of multiple tag values. Confirm that the consuming systems or configuration references are adjusted to expect comma-separated values.

packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml (1)

15-17: Preserve Key Name with YAML-to-JSON Conversion

The change replaces the direct inclusion of a JSON file with a YAML-based source that is converted to JSON using the Helm templating functions. Preserving the key name (bootstrap-config.json) helps avoid breaking changes on the consumers’ side. Please ensure that the YAML content in
files/cilium-envoy/configmap/bootstrap-config.yaml renders valid JSON when processed.

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml (13)

1-3: Node Configuration Verification

The node section defines a static node ID and cluster ("ingress-cluster"). Verify that these hardcoded values meet your deployment needs or if they should be dynamically templated for different environments.

---

6-51: Prometheus Listener Configuration

The conditional block for the envoy-prometheus-metrics-listener is well-structured. This listener exposes metrics at /metrics, applies the necessary route rewrite, and configures internal addresses based on IPv4/IPv6 settings. Please double-check that the specified filter chain and timeout ("0s") settings are aligned with your operational requirements.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 7-7: syntax error: could not find expected ':'

(syntax)

---

52-104: Admin Listener Configuration Review

The envoy-admin-listener configuration uses conditional templating to support dual-stack addressing. It is enabled only if envoy.debug.admin.enabled is true, and it conditionally adds an extra address for IPv6 when both .Values.ipv4.enabled and .Values.ipv6.enabled are true. Confirm that this behavior matches your intended operational mode for administrative access.

---

105-116: Health Listener Configuration Check

The envoy-health-listener is meant to serve health checks at /healthz (rewriting to /ready). However, the conditional used for adding additionalAddresses is
{{- if and .Values.envoy.prometheus.enabled .Values.ipv6.enabled }}. This reference to envoy.prometheus.enabled seems potentially inconsistent with a health check listener; typically, one might expect a health-specific flag. Please verify whether this condition is intentional or if it should target a health-related configuration.

---

157-169: Ingress Cluster Configuration

The ingress-cluster is defined with the ORIGINAL_DST type and includes explicit protocol options. Note the concatenation for the cleanup interval ({{ .Values.envoy.connectTimeoutSeconds }}.500s) and ensure that the resultant string is a valid duration. Confirm that these connection and protocol settings satisfy your performance and routing requirements.

---

170-183: Egress Cluster TLS Configuration

The egress-cluster-tls includes TLS settings via a transport socket using the cilium.tls_wrapper. Review the TLS context and related typed configuration to make sure they adhere to your security policies and that any upstream TLS configuration changes are compatible with the new Envoy version.

---

188-200: Egress Cluster (Non-TLS) Configuration

The egress-cluster setup mirrors the ingress cluster’s structure without TLS. Verify that its protocol options, connection timeout, and cleanup interval match your desired operational parameters.

---

201-214: Ingress Cluster TLS Configuration

This TLS-enabled ingress cluster configuration is similar to its egress counterpart. Ensure that the transport socket details and protocol options are compliant with security best practices and that they function correctly in your deployment scenario.

---

219-230: xDS gRPC Cluster Configuration

The xds-grpc-cilium cluster is configured to use a UNIX pipe (with the given path) for gRPC communication. Please verify that the pipe path (/var/run/cilium/envoy/sockets/xds.sock) is correct and that the GRPC service settings are functioning as expected to support dynamic configuration updates.

---

235-246: Envoy Admin Cluster Setup

This cluster uses a UNIX pipe endpoint to connect to the admin interface. The naming (/envoy-admin) and the endpoint path (/var/run/cilium/envoy/sockets/admin.sock) should be confirmed as intentional and consistent with other admin-related settings across your environment.

---

247-266: Dynamic Resource Configuration

The dynamic resources for LDS and CDS are configured with GRPC as the API source, using appropriate initial fetch timeouts and setting the API version to V3. Verify that these settings, particularly the timeouts and gRPC configurations, are robust against network delays or intermittent connectivity issues in your environment.

---

272-277: Overload Manager Configuration

The overload manager sets a resource monitor with a global downstream connection cap of 50000. Confirm that this limit is in line with your system capacity and that the monitor settings are sufficient for your anticipated load.

---

278-280: Admin Interface Settings

The admin section configures the path for the Envoy admin interface using a UNIX pipe. Ensure this setting is consistent with other parts of the configuration and that the specified pipe directory is correctly mounted in your runtime environment.

packages/system/cilium/charts/cilium/values.yaml (6)

154-160: Agent Image Update: The Cilium agent image tag has been updated to "v1.16.6" and the corresponding digest changed to "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da".
Please ensure that all downstream components that rely on this image are compatible with the new version.

---

1315-1320: Hubble Relay Image Update: The Hubble relay image has been revised to use tag "v1.16.6" along with an updated digest "sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b".
Double-check that the corresponding configuration settings for Hubble relay accommodate this change.

---

2481-2491: Operator Image Update: The Cilium operator image has been updated—its tag is now "v1.16.6" and the digests for several variants (generic, Azure, AWS, and AlibabaCloud) have been updated accordingly.
Please verify that these changes are consistent across all operator-related resources and that the new images meet the release criteria.

---

2911-2918: Clustermesh API Server Image Update: The clustermesh API server image now carries the tag "v1.16.6" with an updated digest "sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a".
It is advisable to check that this update aligns with the overall ClusterMesh configuration and that no legacy references remain.

---

2764-2770: Preflight Image Update: The preflight image configuration has been modified to use the Cilium version "v1.16.6" (with the updated digest matching the agent image).
Confirm that this update remains consistent with other components that depend on the same base image.

---

2164-2172: Envoy Image Update: The Cilium Envoy image has been updated with the new tag
"v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5" and the digest "sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88".
Please verify that this version is intended for use alongside Cilium v1.16.6 and that there are no compatibility issues with Envoy’s configuration or integration.