openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

fix(bp-cilium): upgrade upstream cilium 1.16.5 → 1.19.3 (1.2.0) (#684)

Browse Source 
1.16.x gateway-api hostNetwork mode is buggy on Sovereigns: cilium-envoy
NACKs listeners with "cannot bind '0.0.0.0:80': Permission denied" and
the loaded RDS for the Sovereign vhost only carries the default `/` route
to catalyst-ui — `/auth/*` and `/api/*` HTTPRoute matches defined in CEC
never reach envoy's live config. Result: console.<sov>/auth/handover?token=…
serves the React shell instead of the catalyst-api Go handler, defeating
the Phase-8b seamless handover. Caught live on otech46.

1.18+ ships the Gateway API implementation graduated from beta with the
hostNetwork bind path fixed; 1.19 is the current stable line (1.19.3).
Values shape verified backward-compatible across the keys we set:
gatewayAPI.hostNetwork.enabled, envoy.enabled, envoyConfig.enabled,
encryption.type=wireguard, encryption.nodeEncryption — all unchanged
between 1.16 and 1.19.

Bumps:
  - bp-cilium chart 1.1.5 → 1.2.0 (minor — major upstream version jump)
  - upstream cilium subchart 1.16.5 → 1.19.3
  - blueprint.yaml spec.version 1.1.3 → 1.2.0 (was already drifted from
    Chart.yaml; brings them back in sync per manifest-validation gate)
  - clusters/_template/bootstrap-kit/01-cilium.yaml HelmRelease pin
    1.1.5 → 1.2.0

Per-cluster overlays under clusters/<sovereign>/bootstrap-kit/ keep
their pinned versions until the operator opts in — fresh otechN
provisions render from _template/ and pick up 1.2.0 on first boot.

Will be verified live on the next fresh Sovereign provision (otech47+).

Co-authored-by: hatiyildiz <hatice@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
e3mrah 2026-05-03 17:20:54 +04:00 committed by GitHub
parent 875d96fbed
commit 52b87afa9e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
clusters/_template/bootstrap-kit/01-cilium.yaml
View File

@ -36,7 +36,7 @@ spec:
chart:
spec:
chart: bp-cilium
version: 1.1.5
version: 1.2.0
sourceRef:
kind: HelmRepository
name: bp-cilium

2
platform/cilium/blueprint.yaml
View File

@ -6,7 +6,7 @@ metadata:
catalyst.openova.io/category: per-host-cluster-infrastructure
catalyst.openova.io/section: pts-3-1-networking-and-service-mesh
spec:
version: 1.1.3
version: 1.2.0
card:
title: Cilium
summary: Unified CNI + Service Mesh (eBPF). mTLS via WireGuard, Hubble observability, Gateway API.

16
platform/cilium/chart/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v2
name: bp-cilium
version: 1.1.5
version: 1.2.0
description: |
Catalyst-curated Blueprint umbrella chart for Cilium. Depends on the
upstream `cilium` chart as a Helm subchart so `helm dependency build`
@ -16,11 +16,21 @@ maintainers:
email: catalyst@openova.io
# Upstream chart pulled in as a Helm subchart so `helm dependency build`
# bundles it into the OCI artifact. Pinned to cilium/cilium 1.16.5 (matches
# bundles it into the OCI artifact. Pinned to cilium/cilium 1.19.3 (matches
# platform/cilium/blueprint.yaml + values.yaml `catalystBlueprint.upstream
# .version`). Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) the
# version is operator-bumpable via PR + Blueprint release.
#
# 1.16.5 → 1.19.3 jump (2026-05-03): 1.16.x had buggy gateway-api hostNetwork
# mode where cilium-envoy NACK'd listeners with "cannot bind '0.0.0.0:80':
# Permission denied" and the loaded RDS for the Sovereign vhost only
# carried the default `/` route — `/auth/*` and `/api/*` HTTPRoute matches
# never reached envoy's live config. 1.18+ ships the mature Gateway API
# implementation (graduated from beta), 1.19 is the current stable line.
# Values shape verified compatible: gatewayAPI.hostNetwork.enabled,
# envoy.enabled, envoyConfig.enabled, encryption.type=wireguard,
# nodeEncryption — all unchanged.
dependencies:
- name: cilium
version: "1.16.5"
version: "1.19.3"
repository: "https://helm.cilium.io"

4
platform/cilium/chart/values.yaml
View File

@ -19,7 +19,7 @@ global:
imageRegistry: ""
catalystBlueprint:
upstream: { chart: cilium, version: "1.16.5", repo: "https://helm.cilium.io" }
upstream: { chart: cilium, version: "1.19.3", repo: "https://helm.cilium.io" }
# Catalyst-curated Cilium values per platform/cilium/README.md.
#
@ -76,7 +76,7 @@ cilium:
# `metrics.enabled: null` (NOT [] and NOT a populated list) is the
# exact value that makes the upstream Cilium chart skip the metrics
# ServiceMonitor template branch — verified by reading the upstream
# cilium 1.16.5 chart's _hubble.tpl.
# cilium 1.19.3 chart's _hubble.tpl.
#
# Operator opts in via clusters/<sovereign>/bootstrap-kit/01-cilium.yaml
# values overlay once bp-kube-prometheus-stack reconciles (issue #182).