fix(chart): cilium-configmap with unended condition

[mliner]

Description of change

Even though the helm chart seems to be valid (tested locally), I believe that there is a logical issue with the missing {{- end}} statement (previously commented in commit mentioned below). It can prevent the future problems in case helm will be more strict with template validation.

• addin Labyrinth Labs as Cilium users
• fixing chart
  • logical issue with the missing {{- end}} for condition (currently commented)
  • uncommenting default value for loadbalancer.serviceTopology: false in order to make it visible in chart-docs so that Cilium users are aware if this option, plus adjusting description to make it more clear for first users

Fixes: commit

Release note

Fix bug where more Helm options were gated by `loadbalancer` option than intended

[maintainer-s-little-helper]

Commits 033807c, 12be7fc, 6b629df do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commits 033807c, 12be7fc do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit 44b1c6d does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commits 44b1c6d, 2a27ba7 do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[youngnick]

Thanks for this @mliner, you'll need to make sure all your commits have DCO signoff at the bottom of the commit message to fix that particularly linting error.

[maintainer-s-little-helper]

Commit 44b1c6d does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[aanm]

@mliner we will need a rebase against main, after that should be good to go.

[joestringer]

I was going to fix up the style things locally and force push to get this merged, but it looks like maintainer pushes to the branch are disabled.

Here's a suggested breakdown of the changes here that explain the changes in a way we typically document, and also addresses the current CI failures:

commit dfaf1929fc9070b83aa195dd3f0d31b0bd9a676f
Author: matej.liner@lablabs.io <matej.liner@lablabs.io>
Date:   Fri Nov 21 14:25:20 2025 +0100

    fix(chart): Fix 'loadBalancer' option scope
    
    Technically the 'loadBalancer' option conditionaal here was not properly
    closed, meaning that if you somehow omitted this option section from
    configuration then Cilium would not apply about half of the possible
    option configurations. In practice this was not observed, because the
    default values always have a value for the loadBalancer configuration.
    Still, it's a logical error so let's fix it to have a valid Helm chart.
    
    Signed-off-by: Matej Líner <matej.liner@lablabs.io>
    Signed-off-by: Joe Stringer <joe@cilium.io>

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
index 4392c0a2a1c0..8a68d185c4c3 100644
--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -906,9 +906,9 @@ data:
 {{- end }}
 {{- if hasKey .Values.loadBalancer "serviceTopology" }}
   enable-service-topology: {{ .Values.loadBalancer.serviceTopology | quote }}
-# {{- end }}
-
 {{- end }}
+{{- end }}
+
 {{- if hasKey .Values.maglev "tableSize" }}
   bpf-lb-maglev-table-size: {{ .Values.maglev.tableSize | quote}}
 {{- end }}

commit fd990ece02a62acdc6b90f758fc5cdaa2cbcd066
Author: matej.liner@lablabs.io <matej.liner@lablabs.io>
Date:   Fri Jan 23 11:51:05 2026 -0800

    fix(docs): Expose 'loadBalancer.serviceTopology'
    
    This option was previously hidden from the user docs because it was
    commented out. The default Helm value here matches the default value
    embedded into the Cilium binary, so enabling the config in the Helm
    chart should not have any functional change by default. However it will
    enable users to discover the option more easily in the docs.
    
    Signed-off-by: Matej Líner <matej.liner@lablabs.io>
    Signed-off-by: Joe Stringer <joe@cilium.io>

diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
index 903faa505cfe..d2d688f4374e 100644
--- a/Documentation/helm-values.rst
+++ b/Documentation/helm-values.rst
@@ -3063,7 +3063,7 @@
    * - :spelling:ignore:`loadBalancer`
      - Configure service load balancing
      - object
-     - ``{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}``
+     - ``{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]},"serviceTopology":false}``
    * - :spelling:ignore:`loadBalancer.acceleration`
      - acceleration is the option to accelerate service handling via XDP Applicable values can be: disabled (do not use XDP), native (XDP BPF program is run directly out of the networking driver's early receive path), or best-effort (use native mode XDP acceleration on devices that support it).
      - string
@@ -3084,6 +3084,10 @@
      - List of ports from service to be automatically redirected to above backend. Any service exposing one of these ports will be automatically redirected. Fine-grained control can be achieved by using the service annotation.
      - list
      - ``[]``
+   * - :spelling:ignore:`loadBalancer.serviceTopology`
+     - serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering
+     - bool
+     - ``false``
    * - :spelling:ignore:`localRedirectPolicies.addressMatcherCIDRs`
      - Limit the allowed addresses in Address Matcher rule of Local Redirect Policies to the given CIDRs. @schema@ type: [null, array] @schema@
      - string
diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
index 9c368c2dda6b..1971e052f589 100644
--- a/install/kubernetes/cilium/README.md
+++ b/install/kubernetes/cilium/README.md
@@ -815,12 +815,13 @@ contributors across the globe, there is almost always someone available to help.
 | livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | livenessProbe.requireK8sConnectivity | bool | `false` | whether to require k8s connectivity as part of the check. |
-| loadBalancer | object | `{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing |
+| loadBalancer | object | `{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]},"serviceTopology":false}` | Configure service load balancing |
 | loadBalancer.acceleration | string | `"disabled"` | acceleration is the option to accelerate service handling via XDP Applicable values can be: disabled (do not use XDP), native (XDP BPF program is run directly out of the networking driver's early receive path), or best-effort (use native mode XDP acceleration on devices that support it). |
 | loadBalancer.l7 | object | `{"algorithm":"round_robin","backend":"disabled","ports":[]}` | L7 LoadBalancer |
 | loadBalancer.l7.algorithm | string | `"round_robin"` | Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random |
 | loadBalancer.l7.backend | string | `"disabled"` | Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration.  Applicable values:   - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well.   - disabled: Disable L7 load balancing by way of service annotation. |
 | loadBalancer.l7.ports | list | `[]` | List of ports from service to be automatically redirected to above backend. Any service exposing one of these ports will be automatically redirected. Fine-grained control can be achieved by using the service annotation. |
+| loadBalancer.serviceTopology | bool | `false` | serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering |
 | localRedirectPolicies.addressMatcherCIDRs | string | `nil` | Limit the allowed addresses in Address Matcher rule of Local Redirect Policies to the given CIDRs. @schema@ type: [null, array] @schema@ |
 | localRedirectPolicies.enabled | bool | `false` | Enable local redirect policies. |
 | localRedirectPolicy | bool | `false` | Enable Local Redirect Policy (deprecated, please use 'localRedirectPolicies.enabled' instead) |
diff --git a/install/kubernetes/cilium/values.schema.json b/install/kubernetes/cilium/values.schema.json
index f47545dd7c67..7b7fbbab57cb 100644
--- a/install/kubernetes/cilium/values.schema.json
+++ b/install/kubernetes/cilium/values.schema.json
@@ -4646,6 +4646,9 @@
             }
           },
           "type": "object"
+        },
+        "serviceTopology": {
+          "type": "boolean"
         }
       },
       "type": "object"
diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
index 14b0d1ae647e..3fee875ee89c 100644
--- a/install/kubernetes/cilium/values.yaml
+++ b/install/kubernetes/cilium/values.yaml
@@ -2471,8 +2471,7 @@ loadBalancer:
 
   # -- serviceTopology enables K8s Topology Aware Hints -based service
   # endpoints filtering
-  # serviceTopology: false
-
+  serviceTopology: false
   # -- L7 LoadBalancer
   l7:
     # -- Enable L7 service load balancing via envoy proxy.
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
index bf063f47028e..861bf39f413d 100644
--- a/install/kubernetes/cilium/values.yaml.tmpl
+++ b/install/kubernetes/cilium/values.yaml.tmpl
@@ -2495,7 +2495,7 @@ loadBalancer:
 
   # -- serviceTopology enables K8s Topology Aware Hints -based service
   # endpoints filtering
-  # serviceTopology: false
+  serviceTopology: false
 
   # -- L7 LoadBalancer
   l7:

commit ec17f3add0f4d6544b6d9a787f2df772b3081ee1 (HEAD -> fix-chart-template-plus-users, fix-chart-template-plus-users+local)
Author: matej.liner@lablabs.io <matej.liner@lablabs.io>
Date:   Fri Jan 23 11:48:48 2026 -0800

    Add Labryinth Labs to USERS.md
    
    Signed-off-by: Matej Líner <matej.liner@lablabs.io>
    Signed-off-by: Joe Stringer <joe@cilium.io>

diff --git a/USERS.md b/USERS.md
index f03fc62e0ebf..dda467cb592a 100644
--- a/USERS.md
+++ b/USERS.md
@@ -538,6 +538,12 @@ Users (Alphabetically)
       L: https://github.com/xiaods/k8e
       Q: @xds2000
 
+    * N: Labyrinth Labs
+      D: One stop shop for Cloud, AWS, Kubernetes
+      U: Networking, network policies, Hubble for network visibility
+      L: https://lablabs.io
+      Q: @mliner
+
     * N: LinkPool
       D: LinkPool is a professional Web3 infrastructure provider.
       U: LinkPool is using Cilium as the CNI for its on-premise production clusters

I made this version also available here if you agree with the changes and want to pull/update the PR: https://github.com/joestringer/cilium/commits/pr/joe/serviceTopology-helm

[mliner]

@joestringer I've reorganized and documented the commits based on your proposal. Please review.

[joestringer]

Thanks. It's still breaking the documentation workflow:

diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
index 31d2599d63..135425d726 100644
--- a/Documentation/helm-values.rst
+++ b/Documentation/helm-values.rst
@@ -3085,7 +3085,7 @@
      - list
      - ``[]``
    * - :spelling:ignore:`loadBalancer.serviceTopology`
-     - Enables Kubernetes Topology Aware routing. When enabled, Cilium will filter Service endpoints based on topology hints, preferring endpoints in the same zone. For more details check: https://kubernetes.io/docs/concepts/services-networking/topology-aware-routing/
+     - serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering
      - bool
      - ``false``
    * - :spelling:ignore:`localRedirectPolicies.addressMatcherCIDRs`
make: *** [Makefile:123: check] Error 1
HINT: to fix this, run 'make -C Documentation update-helm-values'
make: Leaving directory '/home/runner/work/cilium/cilium/Documentation'
Error: Process completed with exit code 2.

The text you proposed looks more useful, but it will need to be in the comments in the values.yaml.tmpl in order to get picked up into the docs.

[joestringer]

Sorry, looks like the spellchecker is triggering a failure due to the config option:

WARNING: Found 2 misspelled words

Please fix the following spelling mistakes:
* Documentation/helm-values.rst:3088: (serviceTopology)  serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering
* Documentation/helm-values.rst:3088: (serviceTopology)  serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering

If the words are not misspelled, run:
Documentation/update-spelling_wordlist.sh serviceTopology 

[mliner]

Sorry, looks like the spellchecker is triggering a failure due to the config option:

WARNING: Found 2 misspelled words

Please fix the following spelling mistakes:
* Documentation/helm-values.rst:3088: (serviceTopology)  serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering
* Documentation/helm-values.rst:3088: (serviceTopology)  serviceTopology enables K8s Topology Aware Hints -based service endpoints filtering

If the words are not misspelled, run:
Documentation/update-spelling_wordlist.sh serviceTopology 

It would be great if a pre-commit hook was implemented to resolve these issues before they reach the pipeline.

[joestringer]

Yeah good point. I filed #44039 to open some discussion on that. If there's a way to do it in a way that either has minimal impact for the average commit command (or at least has an opt-out) then maybe we can integrate such a change into the tree.

[joestringer]

/test

[joestringer]

The tests failed after multiple tries, but I don't know if the failures are related. I can't rebase the PR for you but maybe you could try rebasing the PR against the tip of main and we can retry the tests to confirm whether this PR might be introducing a breakage.

[mliner]

/test

[joestringer]

/test

[joestringer]

@cilium/sig-datapath @cilium/sig-clustermesh the clustermesh suite seems like it's emitting failures but the failure seems unrelated to the changes proposed in the PR. Could you take a look and follow up?

  [.] Action [no-unexpected-packet-drops/no-unexpected-packet-drops:kind-cluster1/cluster1-worker]
  ❌ Found unexpected packet drops:
{
  "labels": {
    "direction": "EGRESS",
    "reason": "NAT 46/64 not enabled"
  },
  "name": "cilium_drop_count_total",
  "value": 1
}
.  [.] Action [no-unexpected-packet-drops/no-unexpected-packet-drops:kind-cluster2/cluster2-control-plane]
.[=] [cilium-test-1] Skipping test [check-log-errors] [129/129] (skipped by user)

📋 Test Report [cilium-test-1]
❌ 1/2 tests failed (1/4 actions), 127 tests skipped, 0 scenarios skipped:
Test [no-unexpected-packet-drops]:
  🟥 no-unexpected-packet-drops/no-unexpected-packet-drops:kind-cluster1/cluster1-worker: Found unexpected packet drops:
{
  "labels": {
    "direction": "EGRESS",
    "reason": "NAT 46/64 not enabled"
  },
  "name": "cilium_drop_count_total",
  "value": 1
}
    ⛑️ The following owners are responsible for reliability of the testsuite: 
        - @cilium/sig-agent (no-unexpected-packet-drops)
        - @cilium/sig-datapath (no-unexpected-packet-drops)
        - @cilium/sig-clustermesh (.github/workflows/tests-clustermesh-upgrade.yaml)
        - @cilium/ci-structure (.github/workflows/tests-clustermesh-upgrade.yaml)
[cilium-test-1] 1 tests failed

[viktor-kurchenko]

@cilium/sig-datapath @cilium/sig-clustermesh the clustermesh suite seems like it's emitting failures but the failure seems unrelated to the changes proposed in the PR. Could you take a look and follow up?

@joestringer Marco and I looking into it here: #44313

[joestringer]

Thanks! In that case I'll retrigger the failing test and queue to merge.

[joestringer]

@cilium/community PTAL

[joestringer]

I bypassed the review request for @cilium/community and will follow up separately how this got stuck for so long.

Thanks for the contribution @mliner!