From 52b87afa9edb2680f57c25d05725b48c9f681dbd Mon Sep 17 00:00:00 2001 From: e3mrah <81884938+emrahbaysal@users.noreply.github.com> Date: Sun, 3 May 2026 17:20:54 +0400 Subject: [PATCH] =?UTF-8?q?fix(bp-cilium):=20upgrade=20upstream=20cilium?= =?UTF-8?q?=201.16.5=20=E2=86=92=201.19.3=20(1.2.0)=20(#684)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1.16.x gateway-api hostNetwork mode is buggy on Sovereigns: cilium-envoy NACKs listeners with "cannot bind '0.0.0.0:80': Permission denied" and the loaded RDS for the Sovereign vhost only carries the default `/` route to catalyst-ui — `/auth/*` and `/api/*` HTTPRoute matches defined in CEC never reach envoy's live config. Result: console./auth/handover?token=… serves the React shell instead of the catalyst-api Go handler, defeating the Phase-8b seamless handover. Caught live on otech46. 1.18+ ships the Gateway API implementation graduated from beta with the hostNetwork bind path fixed; 1.19 is the current stable line (1.19.3). Values shape verified backward-compatible across the keys we set: gatewayAPI.hostNetwork.enabled, envoy.enabled, envoyConfig.enabled, encryption.type=wireguard, encryption.nodeEncryption — all unchanged between 1.16 and 1.19. Bumps: - bp-cilium chart 1.1.5 → 1.2.0 (minor — major upstream version jump) - upstream cilium subchart 1.16.5 → 1.19.3 - blueprint.yaml spec.version 1.1.3 → 1.2.0 (was already drifted from Chart.yaml; brings them back in sync per manifest-validation gate) - clusters/_template/bootstrap-kit/01-cilium.yaml HelmRelease pin 1.1.5 → 1.2.0 Per-cluster overlays under clusters//bootstrap-kit/ keep their pinned versions until the operator opts in — fresh otechN provisions render from _template/ and pick up 1.2.0 on first boot. Will be verified live on the next fresh Sovereign provision (otech47+). Co-authored-by: hatiyildiz Co-authored-by: Claude Opus 4.7 (1M context) --- clusters/_template/bootstrap-kit/01-cilium.yaml | 2 +- platform/cilium/blueprint.yaml | 2 +- platform/cilium/chart/Chart.yaml | 16 +++++++++++++--- platform/cilium/chart/values.yaml | 4 ++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/clusters/_template/bootstrap-kit/01-cilium.yaml b/clusters/_template/bootstrap-kit/01-cilium.yaml index 595740fc..ad74ee3b 100644 --- a/clusters/_template/bootstrap-kit/01-cilium.yaml +++ b/clusters/_template/bootstrap-kit/01-cilium.yaml @@ -36,7 +36,7 @@ spec: chart: spec: chart: bp-cilium - version: 1.1.5 + version: 1.2.0 sourceRef: kind: HelmRepository name: bp-cilium diff --git a/platform/cilium/blueprint.yaml b/platform/cilium/blueprint.yaml index 31c1e6c0..d1cbec8b 100644 --- a/platform/cilium/blueprint.yaml +++ b/platform/cilium/blueprint.yaml @@ -6,7 +6,7 @@ metadata: catalyst.openova.io/category: per-host-cluster-infrastructure catalyst.openova.io/section: pts-3-1-networking-and-service-mesh spec: - version: 1.1.3 + version: 1.2.0 card: title: Cilium summary: Unified CNI + Service Mesh (eBPF). mTLS via WireGuard, Hubble observability, Gateway API. diff --git a/platform/cilium/chart/Chart.yaml b/platform/cilium/chart/Chart.yaml index 4e5887e1..830b990a 100644 --- a/platform/cilium/chart/Chart.yaml +++ b/platform/cilium/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: bp-cilium -version: 1.1.5 +version: 1.2.0 description: | Catalyst-curated Blueprint umbrella chart for Cilium. Depends on the upstream `cilium` chart as a Helm subchart so `helm dependency build` @@ -16,11 +16,21 @@ maintainers: email: catalyst@openova.io # Upstream chart pulled in as a Helm subchart so `helm dependency build` -# bundles it into the OCI artifact. Pinned to cilium/cilium 1.16.5 (matches +# bundles it into the OCI artifact. Pinned to cilium/cilium 1.19.3 (matches # platform/cilium/blueprint.yaml + values.yaml `catalystBlueprint.upstream # .version`). Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) the # version is operator-bumpable via PR + Blueprint release. +# +# 1.16.5 → 1.19.3 jump (2026-05-03): 1.16.x had buggy gateway-api hostNetwork +# mode where cilium-envoy NACK'd listeners with "cannot bind '0.0.0.0:80': +# Permission denied" and the loaded RDS for the Sovereign vhost only +# carried the default `/` route — `/auth/*` and `/api/*` HTTPRoute matches +# never reached envoy's live config. 1.18+ ships the mature Gateway API +# implementation (graduated from beta), 1.19 is the current stable line. +# Values shape verified compatible: gatewayAPI.hostNetwork.enabled, +# envoy.enabled, envoyConfig.enabled, encryption.type=wireguard, +# nodeEncryption — all unchanged. dependencies: - name: cilium - version: "1.16.5" + version: "1.19.3" repository: "https://helm.cilium.io" diff --git a/platform/cilium/chart/values.yaml b/platform/cilium/chart/values.yaml index 50e3bc1e..ed1690a6 100644 --- a/platform/cilium/chart/values.yaml +++ b/platform/cilium/chart/values.yaml @@ -19,7 +19,7 @@ global: imageRegistry: "" catalystBlueprint: - upstream: { chart: cilium, version: "1.16.5", repo: "https://helm.cilium.io" } + upstream: { chart: cilium, version: "1.19.3", repo: "https://helm.cilium.io" } # Catalyst-curated Cilium values per platform/cilium/README.md. # @@ -76,7 +76,7 @@ cilium: # `metrics.enabled: null` (NOT [] and NOT a populated list) is the # exact value that makes the upstream Cilium chart skip the metrics # ServiceMonitor template branch — verified by reading the upstream - # cilium 1.16.5 chart's _hubble.tpl. + # cilium 1.19.3 chart's _hubble.tpl. # # Operator opts in via clusters//bootstrap-kit/01-cilium.yaml # values overlay once bp-kube-prometheus-stack reconciles (issue #182).