Update Kube-OVN v1.14.11

[kvaps]

Signed-off-by: Andrei Kvapil kvapss@gmail.com

What this PR does

Release note

[]

Summary by CodeRabbit

• New Features

  • Added configurable OVN IPsec key directory and updated deployments to mount keys from this path.
  • Tightened CRD validation with explicit numeric min/max bounds to prevent invalid configurations.

• Chores

  • Updated kube-ovn chart and container image to v1.14.11 (build environment updated).

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Updates kube-ovn to v1.14.11 across chart, values, and Dockerfile. Tightens CRD OpenAPI schemas with explicit integer min/max bounds. Adds OVN_IPSEC_KEY_DIR configuration and remaps the IPsec keys hostPath in the DaemonSet when IPsec is enabled.

Changes

Cohort / File(s)	Summary
Version bump to v1.14.11 packages/system/kubeovn/charts/kube-ovn/Chart.yaml, packages/system/kubeovn/images/kubeovn/Dockerfile, packages/system/kubeovn/charts/kube-ovn/values.yaml	Increment chart version and appVersion to v1.14.11; update Dockerfile ARGs (VERSION/TAG) to v1.14.11; update global kube-ovn image tag to v1.14.11 and base golang image to 1.25-bookworm.
CRD numeric validation bounds packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml	Replace format-based numeric constraints with explicit integer minimum/maximum bounds across multiple CRD fields (e.g., weight 1–100, replicas 0–10, observedGeneration ≥0, minRX/minTX/multiplier ranges).
IPsec key directory config and mount remap packages/system/kubeovn/charts/kube-ovn/values.yaml, packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml	Add OVN_IPSEC_KEY_DIR: "/etc/origin/ovs_ipsec_keys" to values; remap DaemonSet hostPath for IPsec keys from OPENVSWITCH_DIR to OVN_IPSEC_KEY_DIR under ENABLE_OVN_IPSEC.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Helm as Helm Chart
  participant K8s as Kubernetes API Server
  participant DS as ovncni DaemonSet
  participant Node as Node Filesystem

  Helm->>K8s: install/upgrade kube-ovn (Chart.yaml, values.yaml)
  Note over K8s: Apply CRDs with tightened numeric min/max validation
  K8s-->>Helm: CRDs accepted/rejected per schema bounds

  Helm->>K8s: apply DaemonSet (ovncni-ds.yaml)
  alt ENABLE_OVN_IPSEC = true
    K8s->>DS: create/update Pods with IPsec key volume
    DS->>Node: mount hostPath from OVN_IPSEC_KEY_DIR
  else ENABLE_OVN_IPSEC = false
    K8s->>DS: create/update Pods without IPsec key mount
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Update Kube-OVN to v1.13.10 #847 — Similar kube-ovn packaging updates: chart/values/dockerfile and ovncni-ds path adjustments.
• Update kube-ovn to latest version #922 — Related version bump and Helm chart changes for kube-ovn.

Suggested labels

ok-to-test

Suggested reviewers

• lllamnyp
• klinch0

Poem

I thump my paws—new charts align,
Bounds set neat, like rows in line.
Keys hop burrow to a safer lair,
v1.14.11 scents the air.
Helm bells ring—deploys take flight. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the main change—the Kube-OVN component being updated to version v1.14.11—and aligns with the version bumps across charts, images, and configuration files; it is concise, clear, and sufficiently specific for easy identification in history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kube-ovn-upd

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e0a1bf and c3f70ab.

📒 Files selected for processing (5)

• packages/system/kubeovn/charts/kube-ovn/Chart.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml (8 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/values.yaml (2 hunks)
• packages/system/kubeovn/images/kubeovn/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
• packages/system/kubeovn/charts/kube-ovn/Chart.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (4)

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (1)

273-276: IPsec volume host path looks good.

Thanks for wiring the conditional mount to OVN_IPSEC_KEY_DIR; the chart now follows the upstream layout without surprises.

packages/system/kubeovn/charts/kube-ovn/values.yaml (2)

12-12: Chart tag bump matches the release.

Confirming the image tag aligns with the v1.14.11 upgrade—looks solid.

---

125-127: Thanks for exposing OVN_IPSEC_KEY_DIR.

The new default dovetails with the DaemonSet hostPath update; nothing else to flag here.

packages/system/kubeovn/images/kubeovn/Dockerfile (1)

2-8: Builder/toolchain alignment looks correct.

Bumping the build args and Go base image to v1.14.11 / Go 1.25 keeps the image buildable for this release—nice work.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on upgrading the Kube-OVN component to its v1.14.11 release. The update primarily involves synchronizing version numbers across various configuration files and Dockerfile, alongside significant refinements to the Custom Resource Definition (CRD) schemas for improved validation. Additionally, it introduces a new configuration option for specifying the storage path of OVN IPsec keys, providing greater control over the deployment environment.

Highlights

• Kube-OVN Version Update: The Kube-OVN component has been updated from version v1.14.5 to v1.14.11 across its Helm chart, application version, and Dockerfile build arguments.
• CRD Schema Refinements: The Custom Resource Definition (CRD) schema for Kube-OVN has been refined by removing deprecated format fields (e.g., int32, int64) and adding explicit minimum and maximum constraints to various integer fields, improving validation and API compatibility.
• Configurable IPsec Key Path: A new configurable variable, OVN_IPSEC_KEY_DIR, has been introduced in values.yaml to specify the host path for OVN IPsec keys, enhancing deployment flexibility.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates Kube-OVN to version v1.14.11. The changes include updating version numbers in the Helm chart, values file, and Dockerfile. It also incorporates upstream improvements to the Kube-OVN CRDs by adding stricter validation rules, and fixes the host path for OVN IPsec keys. The changes look good overall. I've added a couple of suggestions to improve maintainability and adherence to standards in the packaging files.

[gemini-code-assist]

According to the Semantic Versioning specification (SemVer 2.0.0), which is referenced in the comment on the preceding line, version numbers should be in the format X.Y.Z. The v prefix is not part of the standard. While many tools tolerate it, it's best practice to omit it for strict compliance and better interoperability.

version: 1.14.11

[gemini-code-assist]

To improve maintainability and avoid repeating the version string, you can reuse the VERSION argument defined at the top of the file. This prevents having to update the version in multiple places in the future.

ARG VERSION
RUN git clone --branch ${VERSION} --depth 1 https://github.com/kubeovn/kube-ovn /source

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bb8f204 and 4e0a1bf.

📒 Files selected for processing (5)

• packages/system/kubeovn/charts/kube-ovn/Chart.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml (8 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/values.yaml (2 hunks)
• packages/system/kubeovn/images/kubeovn/Dockerfile (1 hunks)

🧰 Additional context used

🪛 GitHub Actions: Pull Request

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml

[error] 1-1: Build failed due to Go version mismatch: go.mod requires Go 1.25.2 or higher, but the builder is using Go 1.24.8.

packages/system/kubeovn/images/kubeovn/Dockerfile

[error] 1-1: Build failed due to Go version mismatch: go.mod requires Go 1.25.2 or higher, but the builder is using Go 1.24.8.

packages/system/kubeovn/charts/kube-ovn/values.yaml

[error] 1-1: Build failed due to Go version mismatch: go.mod requires Go 1.25.2 or higher, but the builder is using Go 1.24.8.

packages/system/kubeovn/charts/kube-ovn/Chart.yaml

[error] 1-1: Build failed due to Go version mismatch: go.mod requires Go 1.25.2 or higher, but the builder is using Go 1.24.8.

packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml

[error] 1-1: Build failed due to Go version mismatch: go.mod requires Go 1.25.2 or higher, but the builder is using Go 1.24.8.