[cilium] Update Cilium to v1.18.5

[lexfrei]

What this PR does

• Update Cilium from v1.17.8 to v1.18.5
• Add SED_INPLACE variable to scripts/common-envs.mk for macOS compatibility
• Remove deprecated enableRuntimeDeviceDetection option (now default behavior in 1.18)

Cilium 1.18 requires Linux kernel 5.10+ (compatible with Talos).

References:

• Cilium 1.18 Upgrade Guide
• Cilium 1.18 Release Blog

Release note

[cilium] Update Cilium to v1.18.5

Summary by CodeRabbit

Release Notes

• New Features

  • Added configurable Kubernetes service discovery with ConfigMap-based endpoint source
  • Introduced exponential backoff settings for Kubernetes API client connections
  • Added metrics sampling interval configuration for internal agent metrics
  • Implemented identity management mode options for endpoint slices and DNS proxy pre-allocation
  • Enhanced Prometheus scrape timeout configuration across monitoring components

• Improvements

  • Upgraded core components to v1.18.5
  • Strengthened security defaults by disabling privilege escalation across pods
  • Added startup and liveness probe configurations for improved health monitoring
  • Extended network policy correlation capabilities in Hubble

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates the Cilium Helm chart from version 1.17 to 1.18.5, introducing new configuration options for Kubernetes service discovery (k8sServiceHostRef), client exponential backoff, identity management modes, and kvstore configurations; enhancing security contexts, Envoy timeouts, pod disruption budgets, and ServiceMonitor scrapeTimeouts; and restructuring clustermesh conditional logic to remove external workloads dependencies.

Changes

Cohort / File(s)	Summary
Build Configuration packages/system/cilium/Makefile, scripts/common-envs.mk	Bumped Cilium version from 1.17 to 1.18.5; introduced SED_INPLACE variable for macOS-compatible sed invocations; replaced direct sed calls with centralized variable.
Chart Metadata & Documentation packages/system/cilium/charts/cilium/Chart.yaml, packages/system/cilium/charts/cilium/README.md	Updated appVersion and chart version to 1.18.5; refreshed CRD kind definitions with updated metadata (displayName, description); extensively documented new values including SPIRE, bandwidth manager, BGP control plane, CNI, identity allocation, and component-specific configurations.
Cilium Agent Templates packages/system/cilium/charts/cilium/templates/cilium-agent/(daemonset|clusterrole|role|rolebinding|servicemonitor).yaml	Added templated DaemonSet name, default-container annotations, conditional k8sServiceHostRef and k8sServiceHost environment variables, k8sClientExponentialBackoff support; tightened CNI startup condition and envoy admin readiness checks; merged secrets permissions into consolidated core API rule; added app.kubernetes.io/name label to ServiceMonitor.
Cilium Envoy Templates packages/system/cilium/charts/cilium/templates/cilium-envoy/(configmap/bootstrap-config.yaml|configmap.yaml|daemonset.yaml|servicemonitor.yaml)	Parameterized streamIdleTimeout from hard-coded "0s" to configurable streamIdleTimeoutDurationSeconds; made startupProbe and livenessProbe conditional on enable flags; added k8sServiceHostRef ConfigMap injection; widened ConfigMap rendering condition (ignores preflight flag); added conditional scrapeTimeout to ServiceMonitor.
Cilium Operator Templates packages/system/cilium/charts/cilium/templates/cilium-operator/(clusterrole|deployment|poddisruptionbudget|rolebinding|servicemonitor).yaml	Expanded EndpointSlice synchronization condition to include MCS API support; added support for identityManagementMode "operator" or "both"; removed ciliumexternalworkloads.cilium.io permissions; added ciliumgatewayclassconfigs.cilium.io and gateway API status permissions; injected k8sServiceHostRef and agentNotReadyTaintKey support; added version-gated unhealthyPodEvictionPolicy and conditional scrapeTimeout.
Cilium Preflight Templates packages/system/cilium/charts/cilium/templates/cilium-preflight/(clusterrole|clusterrolebinding|daemonset|deployment|poddisruptionbudget).yaml	Moved secrets permissions under conditional resources block; added preflight annotations and default-container annotation; conditionally deployed envoy sidecar with volumes/config when enabled; injected k8sServiceHostRef support; added unhealthyPodEvictionPolicy gating on k8s version ≥1.27.
Cilium Secrets & Common Templates packages/system/cilium/charts/cilium/templates/(cilium-ca-secret.yaml|cilium-configmap.yaml|cilium-secrets-namespace.yaml|_helpers.tpl|NOTES.txt)	Replaced externalWorkloads + useAPIServer condition with useAPIServer alone in CA secret; extensively refactored cilium-configmap with new defaults (IPv4 masquerade, defaultEnableIPv4Masquerade), compatibility upgrades, and policy/BPF defaults; added namespace annotations support; introduced identityAllocationCRD helper template; added conditional warnings rendering to NOTES.txt.
Cilium Flowlog & Ingress Templates packages/system/cilium/charts/cilium/templates/(cilium-flowlog-configmap.yaml|cilium-ingress-service.yaml)	Refactored flowLogs config with per-item field injection (fileMaxSizeMb, fileMaxBackups, fileCompress); conditionally rendered nodePort and externalTrafficPolicy based on ingress controller service configuration and hostNetwork.
ClusterMesh API Server Templates packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/(clusterrole|clusterrolebinding|deployment|metrics-service|poddisruptionbudget|service|serviceaccount|servicemonitor).yaml	Tightened ClusterRole/RoleBinding creation conditions to require useAPIServer, kvstoreMode="internal", and identityAllocationCRD; removed externalWorkloads dependencies throughout; introduced kvstoreMode-based deployment strategy (Recreate for external); added default-container annotation; added enable-cilium-endpoint-slice arg; expanded etcd-related volumes/mounts based on kvstoreMode; added version-gated unhealthyPodEvictionPolicy and conditional scrapeTimeout with identityAllocationCRD gating.
ClusterMesh TLS Cert-Manager Templates packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/(admin|client|local|remote|server)-secret.yaml	Tightened admin, local, remote, and server certificate conditions to require kvstoreMode="internal"; removed entire client certificate template (was gated on externalWorkloads).
ClusterMesh TLS CronJob Templates packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/(_job-spec.tpl|cronjob.yaml|job.yaml|role.yaml|rolebinding.yaml|serviceaccount.yaml)	Added certgen resources block; replaced externalWorkloads-dependent conditions with useAPIServer-only gating in cronjob and role/rolebinding/serviceaccount; tightened job condition to require kvstoreMode="internal"; updated service account to use useAPIServer exclusivity.
ClusterMesh TLS Helm Templates packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/(admin|client|local|remote|server)-secret.yaml	Tightened admin, local, remote, and server certificate conditions to require kvstoreMode="internal"; removed entire client certificate template (was gated on externalWorkloads).
ClusterMesh TLS Provided Templates packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/(admin|client|remote|server)-secret.yaml	Tightened admin and server certificate conditions to require useAPIServer AND kvstoreMode="internal" (removed externalWorkloads); added kvstoreMode="internal" check to remote-secret; removed entire client certificate template.
ClusterMesh Config & Users Templates packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/(users-configmap.yaml)	Tightened users-configmap condition to require useAPIServer, kvstoreMode="internal", and identityAllocationCRD.
ClusterMesh Config Helpers packages/system/cilium/charts/cilium/templates/clustermesh-config/(_helpers.tpl|clustermesh-secret.yaml|kvstoremesh-secret.yaml)	Added local_etcd support in helper with conditional etcd config/TLS handling; introduced local_etcd flag and etcd_config parameters to clustermesh secret generation; extended kvstoremesh-secret include call with additional parameters.
Hubble Relay & UI Templates packages/system/cilium/charts/cilium/templates/hubble-relay/(poddisruptionbudget.yaml|servicemonitor.yaml), packages/system/cilium/charts/cilium/templates/hubble-ui/(_nginx.tpl|poddisruptionbudget.yaml|service.yaml)	Added version-gated unhealthyPodEvictionPolicy and conditional scrapeTimeout to relay; added app.kubernetes.io/part-of and app.kubernetes.io/name labels to relay ServiceMonitor; disabled kube-probe request logging in hubble-ui nginx; added unhealthyPodEvictionPolicy to hubble-ui PodDisruptionBudget; injected hubble.ui.service.labels into Service metadata.
Hubble Metrics & TLS Templates packages/system/cilium/charts/cilium/templates/hubble/(servicemonitor.yaml|tls-cronjob/_job-spec.tpl|tls-helm/(relay-client|server)-secret.yaml|tls-provided/metrics-server-secret.yaml)	Added app.kubernetes.io/name label and conditional scrapeTimeout to Hubble ServiceMonitor; added optional certgen resources block in cronjob job spec; introduced tls_crt/tls_key variable overrides with secret lookup for relay-client and server TLS secrets; removed whitespace in tls-provided metrics-server-secret.
SPIRE Agent & Server Templates packages/system/cilium/charts/cilium/templates/spire/(agent/daemonset.yaml|server/statefulset.yaml)	Trailing whitespace cleanup in agent; added kubectl.kubernetes.io/default-container: spire-server annotation to server StatefulSet.
Validation Template packages/system/cilium/charts/cilium/templates/validate.yaml	Added deprecation checks for v1.18 removed options (enableCiliumEndpointSlice, ciliumEndpointSlice.sliceMode); added validation preventing simultaneous k8sServiceHostRef and k8sServiceHost; restructured clustermesh validation around identityAllocationCRD vs kvstoreMode distinctions; added kvstoreMode (external/internal) validation; enforced external-mode constraints (single replica, useAPIServer=true, kvstoremesh.enabled); added maxConnectedClusters (255/511) validation; added k8sClientExponentialBackoff environment variable deduplication check.
Warnings Template packages/system/cilium/charts/cilium/templates/warnings.txt	Added cilium.warnings template that conditionally renders deprecation warning for hubble.export keys (fileMaxSizeMb, fileMaxBackups, fileCompress) with migration guidance to exporter types.
Values Schema & Configuration packages/system/cilium/charts/cilium/values.schema.json, packages/system/cilium/charts/cilium/values.yaml, packages/system/cilium/charts/cilium/values.yaml.tmpl	Added numerous new top-level and nested fields: policyDefaultLocalCluster, connectivityProbeFrequencyRatio, k8sServiceHostRef, kubeProxyReplacement, k8sClientExponentialBackoff, seccompProfile, allowPrivilegeEscalation defaults, startupProbe/livenessProbe enable flags, unhealthyPodEvictionPolicy, scrapeTimeout fields across ServiceMonitors, streamIdleTimeoutDurationSeconds, httpUpstreamLingerTimeout, preAllocateIdentities, policyStatsMapMax, localRedirectPolicies, fileCompress/fileMaxBackups/fileMaxSizeMb logging fields, underlayProtocol, and identityManagementMode; removed enableCiliumEndpointSlice and related legacy fields; updated image tags/digests to 1.18.5; hardened security contexts with allowPrivilegeEscalation: false across components.
Dockerfile packages/system/cilium/images/cilium/Dockerfile	Updated ARG VERSION from v1.17.8 to v1.18.5.
Values Overrides packages/system/cilium/values-kubeovn.yaml	Removed enableRuntimeDeviceDetection: true entry.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

---

Poem

🐰 From 1.17 to 1.18 we hop,
With k8sServiceHostRef and kvstoreMode—no stop!
Security hardened, schemas expanded wide,
ClusterMesh tightened, with nothing to hide.
New probes, new timeouts, new configs galore,
Cilium's evolution—we've never seen more! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change—updating Cilium from v1.17.8 to v1.18.5—which is the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-cilium-1.18

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @lexfrei, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a significant upgrade of the Cilium network plugin to version 1.18.5. The update incorporates various new features, removes deprecated configurations, and ensures compatibility with the latest kernel requirements. Additionally, it includes minor build script adjustments for cross-platform consistency.

Highlights

• Cilium Version Update: Cilium has been updated from version v1.17.8 to v1.18.5, bringing the latest features and improvements.
• macOS Compatibility for Sed: A new SED_INPLACE variable has been introduced in scripts/common-envs.mk to ensure compatibility with sed -i behavior on macOS.
• Deprecated Option Removal: The enableRuntimeDeviceDetection option has been removed as it is now default behavior in Cilium 1.18, simplifying configuration.
• Breaking Changes Addressed: The update addresses breaking changes in Cilium 1.18, including the requirement for Linux kernel 5.10+ and the removal of enableRuntimeDeviceDetection.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates Cilium from v1.17.8 to v1.18.5, which is a significant feature release. The changes are comprehensive, covering updates to the Helm chart, configuration values, Kubernetes resource definitions, and container images to align with the new version. Key changes include the removal of deprecated options like enableRuntimeDeviceDetection and externalWorkloads, and the introduction of many new features and configuration parameters such as improved BGP control plane options, Gateway API support enhancements, and more granular security context settings. The addition of a SED_INPLACE variable in the Makefile is a nice touch for improving macOS compatibility. The Helm templates have been updated to support new features, provide better validation, and improve user experience with features like reusing existing TLS secrets to avoid regeneration. Overall, this is a well-executed and thorough update.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml (1)

1-141: Do not directly edit vendored upstream Helm charts; changes will be lost on the next chart update.

The file is located in the vendored Cilium chart directory (packages/system/cilium/charts/cilium/). The Makefile shows that the update target removes the entire charts/ directory and re-pulls the upstream Cilium chart using helm pull. Any direct edits to this file will be discarded on the next make update.

Instead, apply customizations through:

• Overlays or kustomize patches in the umbrella chart templates
• Values overrides in packages/system/cilium/values.yaml
• Chart-level patches or hooks in packages/system/cilium/templates/

packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml (1)

67-81: Fix indentation and clarify mutually exclusive conditions in Kubernetes service host configuration.

Line 76 has inconsistent indentation (extra spaces before {{-). Additionally, while there's a validation check in validate.yaml that prevents both k8sServiceHostRef and k8sServiceHost from being set simultaneously, the template structure should still be made mutually exclusive for clarity. Change the second if to else if to ensure only one block renders:

          {{- if and .Values.k8sServiceHostRef.name .Values.k8sServiceHostRef.key }}
          - name: KUBERNETES_SERVICE_HOST
            valueFrom:
              configMapKeyRef:
                name: {{ .Values.k8sServiceHostRef.name }}
                key: {{ .Values.k8sServiceHostRef.key }}
          - name: KUBERNETES_SERVICE_PORT
            value: {{ include "k8sServicePort" . }}
-          {{- end }}
-            {{- if .Values.k8sServiceHost }}
+          {{- else if .Values.k8sServiceHost }}
          - name: KUBERNETES_SERVICE_HOST
            value: {{ include "k8sServiceHost" . }}
          - name: KUBERNETES_SERVICE_PORT
            value: {{ include "k8sServicePort" . }}
          {{- end }}

Note: This pattern appears in multiple cilium templates (daemonset, operator, agent). Ensure changes are applied consistently across all templates or via proper chart vendoring mechanism.

♻️ Duplicate comments (1)

packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml (1)

6-13: Verify these changes are from upstream Cilium 1.18.5.

This file implements the same certificate preservation pattern as server-secret.yaml. Please confirm this change is from the upstream Cilium 1.18 chart update and not a local modification to the vendored chart. The same operational considerations regarding the lookup function apply here.

Also applies to: 32-33

🧹 Nitpick comments (3)

packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml (1)

16-16: Consider addressing the TODO comment.

The TODO mentions removing the default once v1.18 is released. Since this PR updates to v1.18.5, the condition has been met. The TODO references three actions:

• Remove the default fallback behavior
• Remove the warning in warnings.txt
• Add failure validation in validate.yaml

Would you like me to help locate these related files and draft the cleanup changes?

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml (1)

1-1: Note redundant and nesting in condition.

The condition uses and (and ...) which is logically redundant. While functionally correct, it could be simplified to a single and operator with all conditions.

🔎 Optional simplification

-{{- if and (and .Values.clustermesh.useAPIServer (eq .Values.clustermesh.apiserver.kvstoremesh.kvstoreMode "internal")) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }}
+{{- if and .Values.clustermesh.useAPIServer (eq .Values.clustermesh.apiserver.kvstoremesh.kvstoreMode "internal") .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }}

However, if this template originates from upstream Cilium v1.18.5, preserve the upstream formatting to maintain consistency with future upgrades.

packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml (1)

23-26: Consider conditionally rendering annotations block.

The annotations block is always rendered, even when secretsNamespaceAnnotations is empty. While not incorrect, it produces cleaner YAML when conditionally rendered.

🔎 Proposed improvement

+  {{- with $.Values.secretsNamespaceAnnotations }}
   annotations:
-    {{- with $.Values.secretsNamespaceAnnotations }}
     {{- toYaml . | nindent 4 }}
-    {{- end }}
+  {{- end }}

However, since this is a vendored upstream chart, avoid modifying it directly. If this pattern is needed, consider raising it upstream or applying it via a post-renderer.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a03042e and 307f20f.

📒 Files selected for processing (82)

• packages/system/cilium/Makefile
• packages/system/cilium/charts/cilium/Chart.yaml
• packages/system/cilium/charts/cilium/README.md
• packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json
• packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml
• packages/system/cilium/charts/cilium/templates/NOTES.txt
• packages/system/cilium/charts/cilium/templates/_helpers.tpl
• packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml
• packages/system/cilium/charts/cilium/templates/cilium-ingress-service.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/local-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/local-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl
• packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl
• packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml
• packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl
• packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml
• packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml
• packages/system/cilium/charts/cilium/templates/validate.yaml
• packages/system/cilium/charts/cilium/templates/warnings.txt
• packages/system/cilium/charts/cilium/values.schema.json
• packages/system/cilium/charts/cilium/values.yaml
• packages/system/cilium/charts/cilium/values.yaml.tmpl
• packages/system/cilium/images/cilium/Dockerfile
• packages/system/cilium/values-kubeovn.yaml
• scripts/common-envs.mk

💤 Files with no reviewable changes (4)

• packages/system/cilium/values-kubeovn.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml

🧰 Additional context used

📓 Path-based instructions (3)

packages/system/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

• packages/system/cilium/Makefile
• packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl
• packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml
• packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml
• packages/system/cilium/charts/cilium/templates/_helpers.tpl
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/NOTES.txt
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl
• packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl
• packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml
• packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl
• packages/system/cilium/charts/cilium/templates/validate.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml
• packages/system/cilium/images/cilium/Dockerfile
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/local-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml
• packages/system/cilium/charts/cilium/templates/warnings.txt
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml
• packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml
• packages/system/cilium/charts/cilium/README.md
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml
• packages/system/cilium/charts/cilium/values.schema.json
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/local-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-ingress-service.yaml
• packages/system/cilium/charts/cilium/Chart.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml
• packages/system/cilium/charts/cilium/values.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml
• packages/system/cilium/charts/cilium/values.yaml.tmpl

**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

• packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml
• packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml
• packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/validate.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/local-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml
• packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-provided/metrics-server-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml
• packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/local-secret.yaml
• packages/system/cilium/charts/cilium/templates/cilium-ingress-service.yaml
• packages/system/cilium/charts/cilium/Chart.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml
• packages/system/cilium/charts/cilium/values.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml
• packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Git commits should follow [component] Description format and include --signoff flag

Files:

• packages/system/cilium/charts/cilium/README.md

🧠 Learnings (4)

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to **/*.yaml : Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Applied to files:

• packages/system/cilium/Makefile
• packages/system/cilium/charts/cilium/templates/warnings.txt
• packages/system/cilium/charts/cilium/Chart.yaml

📚 Learning: 2025-07-23T09:15:09.658Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1233
File: packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml:33-35
Timestamp: 2025-07-23T09:15:09.658Z
Learning: The `./charts/robotlb/` directory in the hetzner-robotlb package contains vendored code, and the team generally avoids modifying vendored code to maintain clean separation from upstream dependencies.

Applied to files:

• packages/system/cilium/Makefile

📚 Learning: 2025-07-11T06:28:13.696Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1160
File: packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml:6-8
Timestamp: 2025-07-11T06:28:13.696Z
Learning: In Helm templates, the `{{-` directive chomps all leading whitespace including newlines back to the previous content, so `{{- toYaml .Values.something | nindent 2 }}` will render correctly even with apparent indentation issues. However, for better style, it's cleaner to put the template directive on the same line as the parent key (e.g., `rules: {{- toYaml .Values.serviceAccount.permissions | nindent 2 }}`).

Applied to files:

• packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml
• packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml
• packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml
• packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml

📚 Learning: 2025-07-10T12:14:27.197Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1161
File: packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml:6-12
Timestamp: 2025-07-10T12:14:27.197Z
Learning: Kubernetes RBAC rules with resourceNames work correctly for list/watch verbs. When resourceNames is specified in an RBAC rule, it properly restricts access to only those named resources, even for list and watch operations. Examples: `kubectl get resource resourcename -w` watches for changes on a single resource, and `kubectl get resource --field-selector .metadata.name=resourcename` lists a specific resource. The Kubernetes API server correctly distinguishes such requests from their less specific counterparts.

Applied to files:

• packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml

🪛 markdownlint-cli2 (0.18.1)

packages/system/cilium/charts/cilium/README.md

180-180: Bare URL used

(MD034, no-bare-urls)

---

181-181: Bare URL used

(MD034, no-bare-urls)

---

242-242: Bare URL used

(MD034, no-bare-urls)

---

244-244: Bare URL used

(MD034, no-bare-urls)

---

421-421: Bare URL used

(MD034, no-bare-urls)

---

495-495: Bare URL used

(MD034, no-bare-urls)

---

541-541: Bare URL used

(MD034, no-bare-urls)

---

543-543: Bare URL used

(MD034, no-bare-urls)

---

555-555: Bare URL used

(MD034, no-bare-urls)

---

721-721: Bare URL used

(MD034, no-bare-urls)

---

798-798: Bare URL used

(MD034, no-bare-urls)

---

800-800: Bare URL used

(MD034, no-bare-urls)

---

812-812: Bare URL used

(MD034, no-bare-urls)

---

821-821: Bare URL used

(MD034, no-bare-urls)

---

827-827: Bare URL used

(MD034, no-bare-urls)

---

850-850: Bare URL used

(MD034, no-bare-urls)

---

852-852: Bare URL used

(MD034, no-bare-urls)

---

861-861: Bare URL used

(MD034, no-bare-urls)

---

865-865: Bare URL used

(MD034, no-bare-urls)

🪛 YAMLlint (1.37.1)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/validate.yaml

[error] 3-3: syntax error: expected '', but found '{'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/local-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/local-secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

[kvaps]

LGTM