Upd cilium v1.16.7

[kvaps]

Summary by CodeRabbit

• New Features

  • Introduced a configurable option for adjusting the Envoy access log buffer size, allowing users to better tune log handling.
  • Improved startup feedback with more prompt service restarts.

• Chores

  • Upgraded all core components to version 1.16.7.
  • Updated documentation and configuration settings to reflect the latest release.

[coderabbitai]

Walkthrough

This pull request updates the Cilium package by incrementing version numbers and container image digests from 1.16.6 to 1.16.7. It modifies multiple files including Chart.yaml, README.md, values.yaml, and the Dockerfile. Additionally, new configuration options such as accessLogBufferSize for Envoy logging are introduced in the values schema and template files, and a related conditional is added to the ConfigMap. The startup script now issues kubelet restart commands immediately after key operations, and the validation template is enhanced with an extra check.

Changes

File(s)	Change Summary
packages/system/cilium/charts/cilium/Chart.yaml, .../README.md, .../values.yaml, packages/system/cilium/images/cilium/Dockerfile	Bump version numbers from 1.16.6 to 1.16.7; update image tags and digests to reflect the new release.
packages/system/cilium/charts/cilium/values.schema.json, packages/system/cilium/charts/cilium/values.yaml.tmpl	Add new accessLogBufferSize configuration option for Envoy logging (with a default of 4096 where applicable).
packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml	Add a conditional block to set the envoy-access-log-buffer-size in the ConfigMap when specified.
packages/system/cilium/charts/cilium/templates/validate.yaml	Introduce new validation logic to prevent the allow-unsafe-policy-skb-usage from being set to "true".
packages/system/cilium/charts/cilium/files/nodeinit/startup.bash	Insert additional kubelet restart commands immediately after installation/configuration steps to improve execution flow.

Sequence Diagram(s)

sequenceDiagram
    participant S as Startup Script
    participant K as Kubelet Service
    S->>S: Perform kubelet wrapper installation
    S->>S: Modify kubelet configuration
    S->>S: Log "Restarting the kubelet..."
    S->>K: Execute "systemctl restart kubelet"
    S->>S: Continue with remaining setup

Loading

Possibly related PRs

• Update Cilium v1.16.5 #576: Updated Chart.yaml version from 1.16.4 to 1.16.5; directly related to version bumping in Chart.yaml.
• Update cilium v1.16.6 #618: Adjusted version numbers from 1.16.5 to 1.16.6 in Chart.yaml; similar code-level changes to those in this PR.
• Update Cilium v1.16.4 #493: Modified Chart.yaml version fields from 1.16.3 to 1.16.4; involves sequential release updates akin to the current changes.

Suggested labels

enhancement, size:L

Suggested reviewers

• klinch0

Poem

I'm a rabbit hopping through lines of code,
Cheering for changes on this version road.
Versions bump and digests shine,
With logging tweaks so finely designed.
I nibble on bugs with a joyful hop,
Celebrating updates that just won't stop!
🥕🐇

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/system/cilium/charts/cilium/templates/validate.yaml (1)

153-159: Clarify the New Unsafe Configuration Check
In the newly added conditional block, the code checks that the extraConfig value for "allow-unsafe-policy-skb-usage" is not set to "true" (i.e. the check (ne (index .Values.extraConfig "allow-unsafe-policy-skb-usage") "true") returns true) before applying the failure message if other buggy conditions (cluster ID range and enabled features) are met. This ensures that unless the user explicitly opts in (by setting the value to "true"), the known bug scenario is prevented.
• Please verify that this logical inversion exactly matches the intended safety requirement described in the PR objectives.
• It would be helpful to add an inline comment above the block to explain that the purpose is to force users to explicitly acknowledge the risk when enabling unsafe skb usage.

packages/system/cilium/charts/cilium/values.schema.json (1)

1972-1977: Validate the New accessLogBufferSize Schema Property
The new property "accessLogBufferSize" has been introduced under the log object to accept either a null value or an integer. This correctly expands the configurability for Envoy’s access log buffer size.
• For additional robustness, consider adding numeric constraints (such as "minimum": 0) to ensure that only non-negative integers are allowed. This small enhancement can help avoid configuration errors at deployment time.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86bb640 and ea894d7.

📒 Files selected for processing (9)

• packages/system/cilium/charts/cilium/Chart.yaml (2 hunks)
• packages/system/cilium/charts/cilium/README.md (7 hunks)
• packages/system/cilium/charts/cilium/files/nodeinit/startup.bash (2 hunks)
• packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml (1 hunks)
• packages/system/cilium/charts/cilium/templates/validate.yaml (1 hunks)
• packages/system/cilium/charts/cilium/values.schema.json (1 hunks)
• packages/system/cilium/charts/cilium/values.yaml (7 hunks)
• packages/system/cilium/charts/cilium/values.yaml.tmpl (1 hunks)
• packages/system/cilium/images/cilium/Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• packages/system/cilium/images/cilium/Dockerfile
• packages/system/cilium/charts/cilium/Chart.yaml

🔇 Additional comments (16)

packages/system/cilium/charts/cilium/values.yaml.tmpl (1)

2160-2166: Improved Envoy logging configuration with new parameter

The addition of the accessLogBufferSize parameter enhances Envoy's logging capabilities, allowing users to configure the buffer size used for access logs. This is particularly useful for troubleshooting scenarios with large header sizes that might otherwise result in truncated messages.

The default value of 4096 bytes provides a good baseline, and the documentation clearly explains when and how to adjust this value. This change aligns with best practices by making the system more configurable for different operational needs.

packages/system/cilium/charts/cilium/files/nodeinit/startup.bash (2)

119-120: Improved kubelet restart timing after wrapper installation

Adding an immediate kubelet restart after the wrapper installation ensures that the new wrapper takes effect right away, rather than waiting until the end of the script.

This is a good operational improvement that makes the configuration changes more predictable by restarting the service exactly when needed.

---

140-141: Added explicit kubelet restart after CNI configuration changes

Similar to the previous restart command, this ensures the kubelet immediately picks up the network plugin configuration changes.

This change improves the reliability of the node initialization process by making sure configuration changes are applied promptly, reducing the chance of race conditions or missed configurations.

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml (1)

1287-1289: New Envoy Access Log Buffer Configuration Block

This conditional block correctly checks for the presence of .Values.envoy.log.accessLogBufferSize and, when defined, sets the envoy-access-log-buffer-size key with the value passed through the quote filter. This approach is consistent with the pattern used for other similar parameters in the file. Please verify that the rendered (quoted) value meets the expected format (i.e. a string representation of an integer) as defined in the accompanying JSON schema.

packages/system/cilium/charts/cilium/README.md (6)

3-3: Version Badges Updated
The version badges now reflect version 1.16.7. Please confirm that this change is consistent with updates in related files (e.g. Chart.yaml and values.yaml).

---

185-185: Updated Clustermesh API Server Image
The image configuration for the clustermesh API server has been updated with the new digest and tag v1.16.7. Ensure that this new digest is correct according to your release build and that it aligns with the corresponding image in your Chart.yaml.

---

356-356: Envoy Container Image Update
The envoy container image has been updated to use the new digest and tag. This ensures consistency with the current release; please verify that the repository and tag are correct for your environment.

---

360-360: New Envoy Log Buffer Size Option Added
A new configuration option envoy.log.accessLogBufferSize is introduced with a default value of 4096 bytes. The description is clear and advises tuning the buffer size if truncated log messages occur. This new parameter should be cross-checked with your documentation or user guidelines to ensure compatibility with environments that have larger request/response headers.

---

595-595: Agent Container Image Update
The agent container image has been updated to use tag v1.16.7 along with its new digest. This update appears consistent with the overall version bump.

---

722-722: Cilium-Operator Image Update
The operator image configuration now includes updated digests for various clouds (AlibabaCloud, AWS, Azure, and a generic one) with tag v1.16.7. Please verify that these digests match the intended release images to ensure that the operator component will run as expected.

packages/system/cilium/charts/cilium/values.yaml (6)

156-160: Cilium Agent Image Update:
The image tag has been updated to "v1.16.7" and the corresponding digest has been updated accordingly. This change ensures that the cilium-agent now references the new release version.

---

1316-1319: Hubble Relay Image Update:
The Hubble Relay image tag has been updated to "v1.16.7" alongside its digest, ensuring consistency with the new release. This update is essential for a synchronized upgrade of all components.

---

2146-2152: Envoy Access Log Buffer Size Parameter Added:
A new configuration option, accessLogBufferSize: 4096, has been introduced in the Envoy log section. This addition provides users with the ability to tune the size of the access log buffer to mitigate issues such as truncated log messages for large header sizes.

---

2489-2501: Cilium Operator Image Update:
The Cilium Operator image has been updated with a new tag "v1.16.7" and its related digests (generic, azure, aws, and alibabacloud) have been refreshed. These changes ensure that the operator component is aligned with the other updated components in this release.

---

2771-2777: Cilium Preflight Image Update:
The preflight image now uses tag "v1.16.7" and an updated digest, matching the main cilium image update. This change helps maintain consistency across deployment components and ensures compatibility in upgrade scenarios.

---

2920-2925: Clustermesh API Server Image Update:
The clustermesh-apiserver image has been updated to tag "v1.16.7" with an accompanying digest update. This update aligns the API server component with the overall release upgrade.