feat(t8s-cluster/cilium): enable kubeProxy replacement

[cwrau]

Summary by CodeRabbit

• New Features

  • Hosted control plane options: conditional kube-proxy toggle, hosted-mode ports/address-pairing, and hosted-specific native-routing/security rules.
  • Hosted Cilium configuration: proxy replacement, BPF/networking features, egress gateway, IPAM/routing, IPv4 native CIDR, and observability export.

• Improvements

  • More flexible security group/ingress handling, remote-target resolution, and an allow-in-cluster-traffic flag for hosted native routing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Merge chart Values into helper context and gate multiple templates on .Values.controlPlane.hosted: add controller-manager --allocate-node-cidrs, disable kube-proxy in hosted control plane spec, add hosted OpenStack security rules and allowedAddressPairs, and inject hosted-mode Cilium HelmRelease values (BPF, native routing, IPAM, proxy-replacement, observability).

Changes

Cohort / File(s)	Summary
Controller manager helpers charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl	Merge Values into helper context at start of t8s-cluster.clusterClass.args.controllerManager and conditionally add --allocate-node-cidrs=true when .Values.controlPlane.hosted is true. Applied to both occurrences.
Hosted control plane spec charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml	Add kubeProxy blocks with disabled: {{ .Values.controlPlane.hosted }} (two locations) to disable kube-proxy for hosted control planes.
OpenStack cluster template charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml	Introduce $allowNativeRouting when hosted+cilium; conditionally wrap CNI-related SG rules, add native-routing SG rules for pod↔pod and node↔pod (CIDRs), refactor remote-target resolution priority and protocol defaulting, and expose allowAllInClusterTraffic in managedSecurityGroups.
OpenStack machine template charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml	When .Values.controlPlane.hosted is true, insert ports.allowedAddressPairs with 10.0.0.0/16.
Cilium CNI HelmRelease values charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml	Add hosted-mode Cilium configuration gated by .Values.controlPlane.hosted: BPF (masquerade, tproxy, enableTCX), endpointRoutes, bandwidthManager, egressGateway, kubeProxyReplacement: true, IPAM/routingMode, autoDirectNodeRoutes, directRoutingSkipUnreachable, localRedirectPolicies, k8s.requireIPv4PodCIDR, computed k8sServiceHost/Port, ipv4NativeRoutingCIDR (10.0.0.0/16), envoy.prometheus and export.static settings.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer / Values
  participant Helm as Helm renderer
  participant Templates as Chart templates / helpers
  participant K8s as Kubernetes API
  participant OpenStack as OpenStack API
  participant Cilium as Cilium HelmRelease

  Dev->>Helm: render chart with .Values.controlPlane.hosted=true
  Helm->>Templates: merge .Values into helper context
  Templates->>K8s: render ControllerManager args (--allocate-node-cidrs=true)
  Templates->>K8s: render HostedControlPlane spec (kubeProxy.disabled=true)
  Templates->>OpenStack: emit security-group rules & machine allowedAddressPairs (hosted native-routing)
  Templates->>Cilium: inject hosted-mode Cilium HelmRelease values (BPF, native routing, IPAM, proxy-replacement)
  K8s-->>Dev: resources created/updated
  OpenStack-->>Dev: SGs/ports applied
  Cilium-->>Dev: HelmRelease deployed

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review focus:
  • Correctness and scoping of .Values merge in _helpers.tpl.
  • Conditional gates for .Values.controlPlane.hosted across templates.
  • OpenStack security-group remote-target resolution and protocol defaulting.
  • Cilium hosted-mode flags and computed service host logic.

Possibly related PRs

• feat(t8s-cluster/management-cluster): switch to hcp #1759 — Overlapping changes touching hosted-control-plane templates, helpers, and kube-proxy/OpenStack hosted logic.

Suggested reviewers

• tasches
• marvinWolff
• teutonet-bot

"🐰 I hopped through templates, values in tow,
Flipped controller args where hosted flags glow,
Told OpenStack to route pods through the night,
Gave Cilium new wings to BPF and take flight,
A small rabbit cheers — configs set just right!"

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main objective: enabling kubeProxy replacement for the hosted control plane setup in Cilium, which is the core change across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/t8s-cluster/enable-kube-proxy-replacement-for-hcp

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9827acd and 7ac38ed.

📒 Files selected for processing (5)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (1 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml (1 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (3 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml (1 hunks)
• charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-24T09:56:41.380Z

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's `valuesFrom` feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Applied to files:

• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml

📚 Learning: 2025-07-24T09:55:53.655Z

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., `{ cloudflare: {} }`), never a string format. The template correctly uses `{{ .Values.dns.provider | keys | first }}` to extract the provider name from the map keys.

Applied to files:

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
• charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml

🔇 Additional comments (3)

charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (1)

147-156: Hosted-only allocate-node-cidrs wiring looks consistent with other helpers

Merging .context.Values into the local scope and gating allocate-node-cidrs on .Values.controlPlane.hosted matches the existing helper patterns and fits the hosted/native-routing use case. I don’t see any functional issues here.

charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (1)

66-91: Envoy Prometheus and Hubble static export configuration looks structurally correct

The new envoy.prometheus.enabled flag and hubble.export.static block (enabled + filePath: stdout + JSON allowList) are placed under the correct hierarchy and should render valid Cilium values for observability.

charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (1)

138-139: allowAllInClusterTraffic tied to allowNativeRouting is consistent with native routing intent

Wiring managedSecurityGroups.allowAllInClusterTraffic directly to $allowNativeRouting cleanly expresses “open intra-cluster traffic when hosted+cilium native routing is enabled” and keeps the non-native-routing behavior unchanged.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @cwrau, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on integrating and enabling Cilium's advanced networking capabilities, specifically its kube-proxy replacement feature, within t8s-cluster deployments that utilize hosted control planes. The changes involve comprehensive configuration of Cilium's eBPF-based components, alongside necessary adjustments to OpenStack infrastructure resources like security groups and machine templates, and Kubernetes controller manager settings. The overarching goal is to transition to a more efficient and performant networking solution by leveraging Cilium's full potential in hosted Kubernetes environments.

Highlights

• Cilium Kube-Proxy Replacement: The core change enables Cilium's eBPF-based kube-proxy replacement functionality for hosted control planes, aiming to enhance network performance and streamline the network stack by bypassing traditional kube-proxy.
• Cilium Feature Configuration: Various advanced Cilium features, including eBPF masquerade, TPROXY, TCX, endpoint routes, bandwidth manager, egress gateway, native routing mode, and Kubernetes IPAM mode, are now conditionally enabled or configured when a hosted control plane is in use.
• OpenStack Network Adjustments: Modifications have been made to OpenStack security group rules and machine templates to support Cilium's native routing. This includes adding specific ingress rules for pod-to-pod and node-to-pod traffic and configuring allowed address pairs for network interfaces.
• Controller Manager CIDR Allocation: The Kubernetes controller manager is now configured to allocate node CIDRs when operating with a hosted control plane, which is essential for proper network address management in conjunction with Cilium's native routing.
• Hubble Observability Enhancements: Hubble, Cilium's observability tool, has been configured to export static metrics specifically for dropped and error verdicts, providing improved insights for network troubleshooting.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enables Cilium's kube-proxy replacement for hosted control planes. The changes are generally well-aligned with this goal, correctly enabling various Cilium features and disabling the standard kube-proxy when a hosted control plane is used. However, I've identified a few issues. There's a critical issue in cni-cilium.yaml that would lead to invalid configuration values for ipam.mode and routingMode, likely causing deployment failures. I've also found a high-severity issue with a Helm lookup that lacks robustness and could lead to reconciliation failures. Additionally, there are several instances of hardcoded network CIDRs across multiple files, which I've flagged as medium-severity issues that impact maintainability. I've provided specific suggestions to address these points.

[Copilot]

Pull request overview

This PR enables Cilium's kubeProxy replacement feature for hosted control plane configurations. When controlPlane.hosted is true, the workload cluster will use Cilium's eBPF-based kube-proxy replacement with native routing mode instead of the traditional kube-proxy. This requires coordinated changes across CNI configuration, network security rules, OpenStack machine configuration, and control plane settings.

Key changes:

• Enables multiple Cilium features (BPF masquerade, native routing, kubeProxy replacement) conditionally based on hosted control plane mode
• Configures security group rules to allow native pod-to-pod routing in OpenStack
• Disables kube-proxy in hosted control plane deployments and enables node CIDR allocation in controller manager

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
cni-cilium.yaml	Enables kubeProxy replacement and native routing features in Cilium when using hosted control planes
_openstackMachineTemplateSpec.yaml	Adds allowed address pairs for pod CIDR to enable native routing at OpenStack port level
_openStackClusterTemplateSpec.yaml	Adds security group rules for pod-pod and node-pod native routing; refactors protocol handling
_hostedControlPlaneTemplateSpec.yaml	Disables kube-proxy in hosted control plane configuration
_helpers.tpl	Enables node CIDR allocation in controller manager for hosted control planes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e984d19 and 793718c.

📒 Files selected for processing (5)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (1 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml (1 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (2 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml (1 hunks)
• charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-24T09:55:53.655Z

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., `{ cloudflare: {} }`), never a string format. The template correctly uses `{{ .Values.dns.provider | keys | first }}` to extract the provider name from the map keys.

Applied to files:

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl

🪛 GitHub Actions: Lint Helm Charts

charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml

[error] 53-53: Chart lint failed due to template error: nil pointer evaluating interface {}.listeners (template: t8s-cluster/templates/workload-cluster/cni-cilium.yaml:53)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check licenses
• GitHub Check: Agent

🔇 Additional comments (7)

charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml (1)

68-69: LGTM!

The kubeProxy disablement is correctly tied to the hosted control plane flag, which aligns with enabling Cilium's kubeProxyReplacement feature in hosted mode.

charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (1)

148-154: LGTM!

The addition of allocate-node-cidrs for hosted control planes is correct. The controller manager needs to allocate node CIDRs when running in hosted mode with native routing.

charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (1)

110-118: LGTM - Enhanced remote target handling.

The expanded logic correctly handles remoteGroupID, remoteManagedGroups, and remoteIPPrefix in priority order, with a sensible fallback to allRemoteManagedGroups. This supports the new hosted mode security rules.

charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (3)

41-41: kubeProxyReplacement requires coordination with kubeadm.

The comment on line 40 mentions that kubeProxyReplacement "currently not really possible with kubeadmcontrolplane" because they don't support disabling the built-in kube-proxy. However, this PR sets kubeProxy.disabled in the hosted control plane template (line 69 of _hostedControlPlaneTemplateSpec.yaml).

Verify that:

1. The hosted control plane setup actually supports disabling kube-proxy
2. The kubeProxy.disabled flag in the hosted template is sufficient
3. No additional configuration is needed to prevent kube-proxy from being deployed

---

82-87: LGTM - Hubble export configuration.

Enabling static export to stdout with a filter for DROPPED and ERROR verdicts is a good observability practice for debugging network issues.

---

31-49: Based on my verification through web search and codebase analysis, I can now provide the rewritten review comment:

Verify kernel version and configuration requirements for hosted mode Cilium features.

When controlPlane.hosted is enabled, multiple advanced Cilium BPF features are simultaneously activated (masquerade, tproxy, TCX, endpoint routes, bandwidth manager, egressGateway, kubeProxyReplacement, native routing with direct node routes, and local redirect policies). This creates significant kernel dependencies:

• TCX requires Linux kernel 6.6+ (enabled by enableTCX when hosted=true)
• Bandwidth Manager requires kernel >= 5.18 with CONFIG_NET_SCH_FQ
• TPROXY requires CONFIG_NETFILTER_XT_TARGET_TPROXY and related netfilter configs
• IPAM mode is set to "kubernetes" (appropriate for hosted control planes)

Since this chart targets OpenStack deployments (evidenced by cloud-provider-openstack integration), verify that your compute nodes support kernel 6.6+ and the required BPF/netfilter kernel configurations before enabling hosted mode.

charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml (1)

8-12: The allowedAddressPairs configuration for 10.0.0.0/16 is correctly applied to all machine templates in hosted mode. This CIDR represents the pod network, as confirmed by the CNI configuration (ipv4NativeRoutingCIDR: 10.0.0.0/16 in cni-cilium.yaml) and the security group rules in openStackClusterTemplate. All nodes—both control-plane and compute-plane—must allow traffic destined for pod IPs, making this configuration appropriate for both node types.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (1)

55-59: Fix protocol nil handling in hosted CNI security group rules.

Setting protocol: nil in the rule dict combined with the hasKey ternary at line 104 causes the protocol to remain nil instead of defaulting to "tcp". OpenStack security group rules require an explicit protocol, so this will fail.

Apply one of these fixes:

Option A (recommended): Omit the protocol key and let line 104 default to "tcp"

-      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow pod-pod native routing (ingress)" (dict "remoteIPPrefix" "10.0.0.0/16" "protocol" nil) -}}
-      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow node-pod native routing (ingress)" (dict "remoteIPPrefix" "10.6.0.0/16" "protocol" nil) -}}
+      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow pod-pod native routing (ingress)" (dict "remoteIPPrefix" "10.0.0.0/16") -}}
+      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow node-pod native routing (ingress)" (dict "remoteIPPrefix" "10.6.0.0/16") -}}

Option B: Explicitly set protocol to "tcp"

-      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow pod-pod native routing (ingress)" (dict "remoteIPPrefix" "10.0.0.0/16" "protocol" nil) -}}
-      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow node-pod native routing (ingress)" (dict "remoteIPPrefix" "10.6.0.0/16" "protocol" nil) -}}
+      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow pod-pod native routing (ingress)" (dict "remoteIPPrefix" "10.0.0.0/16" "protocol" "tcp") -}}
+      {{- $cniSecurityGroupRules = set $cniSecurityGroupRules "allow node-pod native routing (ingress)" (dict "remoteIPPrefix" "10.6.0.0/16" "protocol" "tcp") -}}

charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (1)

42-42: Fix kubeProxyReplacement value type.

kubeProxyReplacement: true will output the string "true" in YAML, but Cilium expects one of the strings "strict", "probe", "disabled", or "false". The string "true" is not a valid kubeProxyReplacement mode and will cause the Helm release to fail.

Based on the comment at line 41 indicating kubeadm control planes don't support disabling kube-proxy, the intent is likely to use full proxy replacement in hosted mode. Change this to:

-    kubeProxyReplacement: true
+    kubeProxyReplacement: strict

If you need conditional behavior in non-hosted mode, use nil (which omits the key and lets Cilium use its default):

+    {{- if .Values.controlPlane.hosted }}
     kubeProxyReplacement: strict
+    {{- end }}

🧹 Nitpick comments (1)

charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (1)

59-59: Consider externalizing hardcoded CIDR to values for flexibility.

The ipv4NativeRoutingCIDR: 10.0.0.0/16 is hardcoded. This same CIDR also appears in the OpenStack security group rules (file _openStackClusterTemplateSpec.yaml, lines 56 and 133). Hardcoding reduces chart flexibility and makes it harder to support custom pod CIDR configurations.

Consider adding a values key like .Values.network.ipv4NativeRoutingCIDR and referencing it consistently across templates:

-    ipv4NativeRoutingCIDR: 10.0.0.0/16 # default net, see hosted control plane controller
+    ipv4NativeRoutingCIDR: {{ .Values.network.ipv4NativeRoutingCIDR | default "10.0.0.0/16" }}

This would improve reusability and simplify future CIDR changes across the chart.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1cb12fe and 9827acd.

📒 Files selected for processing (5)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl (1 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml (1 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (2 hunks)
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml (1 hunks)
• charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
• charts/t8s-cluster/templates/management-cluster/clusterClass/hostedControlPlaneTemplate/_hostedControlPlaneTemplateSpec.yaml
• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackMachineTemplates/_openstackMachineTemplateSpec.yaml

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-24T09:56:41.380Z

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1601
File: charts/base-cluster/templates/dns/external-dns.yaml:33-39
Timestamp: 2025-07-24T09:56:41.380Z
Learning: In the teutonet-helm-charts base-cluster chart, secret names like "external-dns" for Cloudflare provider are intentionally hard-coded. Users who need custom secret names should use Helm's `valuesFrom` feature to override values rather than expecting dedicated fields in values.yaml. This design keeps the values.yaml clean while still allowing full customization flexibility.

Applied to files:

• charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml

📚 Learning: 2025-07-24T09:55:53.655Z

Learnt from: cwrau
Repo: teutonet/teutonet-helm-charts PR: 1601
File: charts/base-cluster/templates/dns/external-dns.yaml:30-32
Timestamp: 2025-07-24T09:55:53.655Z
Learning: In charts/base-cluster/templates/dns/external-dns.yaml, the dns.provider field in values.yaml has always been expected to be a map format (e.g., `{ cloudflare: {} }`), never a string format. The template correctly uses `{{ .Values.dns.provider | keys | first }}` to extract the provider name from the map keys.

Applied to files:

• charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: lint helm chart (t8s-cluster)

🔇 Additional comments (4)

charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml (1)

110-118: Remote target selection logic looks correct.

The fallback chain (remoteGroupID → remoteManagedGroups → remoteIPPrefix → allRemoteManagedGroups) is sound and properly routes the new hosted rules through the remoteIPPrefix branch.

charts/t8s-cluster/templates/workload-cluster/cni-cilium.yaml (3)

52-57: Gateway lookup nil handling is robust.

The implementation properly checks for a nil Gateway object and fails with a clear error message rather than dereferencing nil. This addresses the past pipeline failure from the lookup function.

---

66-68: Envoy and Hubble export configurations look good.

The additions for envoy.prometheus.enabled and hubble.export.static are valid Cilium observability features with correct configuration structure.

Also applies to: 86-91

---

44-47: IPAM and routing configuration is appropriate for hosted mode.

The settings for ipam.mode: kubernetes, routingMode: native, and direct node routing are correct for hosted control plane scenarios where native routing and Kubernetes-allocated CIDRs are desired.