[kube-ovn] Update to v1.14.25 #1819

kvaps · 2026-01-06T17:07:00Z

What this PR does

Update kube-ovn from v1.14.11 to v1.14.25.

Changes synced from upstream include:

Updated chart templates
New configuration options in values

Release note

[kube-ovn] Update to v1.14.25

Summary by CodeRabbit

New Features
- Added tolerations support for VpcNatGateway resources
- Added automatic VLAN subinterface creation capability for provider networks
- Enhanced installation documentation with OCI Registry and Talos Linux deployment examples
Security Improvements
- Applied runtime-default seccomp profiles across deployments
- Configured service account token mounting behavior for improved pod security
Chores
- Updated Kube-OVN to v1.14.25
- Updated Helm chart metadata and dependencies

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Update kube-ovn from v1.14.11 to v1.14.25. Sync chart templates with upstream changes. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

coderabbitai · 2026-01-06T17:07:07Z

📝 Walkthrough

Walkthrough

This pull request updates the Kube-OVN Helm chart to version 1.14.25, adds security hardening features (seccomp profiles and service account token controls), enhances CRD schemas with new fields, and improves installation documentation and init container configurations.

Changes

Cohort / File(s)	Summary
Chart & Build Configuration `packages/system/kubeovn/Chart.yaml`, `packages/system/kubeovn/Makefile`, `packages/system/kubeovn/charts/kube-ovn/Chart.yaml`	Updated Helm chart versions (0.39.0 → 0.38.0, Chart 1.14.11 → 1.14.25) and Makefile tag (v0.39.0 → v0.40.0) for artifact versioning.
Documentation `packages/system/kubeovn/charts/kube-ovn/README.md`	Added comprehensive installation guidance including OCI Registry deployment, From Source instructions (standard, HA, upgrade), and Talos Linux-specific configuration with openvswitch module requirements.
Template Helpers & CRD Definitions `packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl`, `packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml`	Wrapped node IP collection logic to handle empty node lists; added tolerations schema and autoCreateVlanSubinterfaces field to CRDs for VpcNatGateway and ProviderNetwork resources.
Security Hardening - Pod Specs `packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml`	Added `automountServiceAccountToken: true` and `securityContext` with `seccompProfile.type: RuntimeDefault` to pod specs across multiple Deployments and DaemonSets for enhanced security posture.
Service Account Token Management `packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml`	Set `automountServiceAccountToken: false` on ServiceAccount resources; applied `automountServiceAccountToken: true` and seccomp hardening to corresponding pod templates.
Init Container & Environment Updates `packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml`, `packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml`	Added `chmod +t /usr/local/sbin` to init container scripts; added new environment variables `MOUNT_CNI_CONF_DIR` and `MOUNT_LOCAL_BIN_DIR`.
Host PID & Pod Isolation `packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml`	Changed `hostPID: true` to `hostPID: false`, restricting host namespace access for the pinger DaemonSet.
Image & Values Configuration `packages/system/kubeovn/charts/kube-ovn/values.yaml`, `packages/system/kubeovn/values.yaml`	Updated global image tag from v1.14.11 to v1.14.25 with new sha256 digests; added new CNI configuration entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Hops with glee through security's door,
Seccomp profiles and token controls galore!
From version bumps to CRDs refined,
This hardened release leaves worries behind.
Thumper's delight—safe pods for all! 🔐

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[kube-ovn] Update to v1.14.25' clearly and directly summarizes the main change—upgrading the kube-ovn package from v1.14.11 to v1.14.25, which is confirmed across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

gemini-code-assist · 2026-01-06T17:07:34Z

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on upgrading the Kube-OVN component to version v1.14.25, which includes significant updates to its Helm chart templates and introduces new configuration options. The changes also incorporate several security enhancements by explicitly managing service account token automounting and applying default seccomp profiles to various pods, alongside expanding CRD capabilities with new toleration and VLAN subinterface options.

Highlights

Kube-OVN Version Update: The core Kube-OVN component is updated from version v1.14.11 to v1.14.25, bringing in the latest features and fixes.
Chart Versioning Adjustments: The cozy-kubeovn wrapper chart's version in Chart.yaml is adjusted from 0.39.0 to 0.38.0, while its internal KUBEOVN_TAG in the Makefile is updated from v0.39.0 to v0.40.0.
Security Enhancements: Implemented automountServiceAccountToken: true and securityContext with seccompProfile: RuntimeDefault across various deployments and daemonsets for improved security posture. Service accounts themselves are configured with automountServiceAccountToken: false by default.
CRD Updates: The Kube-OVN Custom Resource Definitions now support tolerations for workload pods and a new autoCreateVlanSubinterfaces boolean option, enhancing flexibility in pod scheduling and network configuration.
Helm Chart Template Improvements: Added a conditional check for node IP lookup in _helpers.tpl to support dry-run operations and updated the README.md with new OCI Registry installation instructions.
CNI Configuration Refinements: Introduced MOUNT_CNI_CONF_DIR in values.yaml and updated CNI daemonset configurations to use it, along with adding chmod +t /usr/local/sbin and POD_IPS environment variable for the CNI container.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request updates kube-ovn to v1.14.25, incorporating upstream changes such as updated chart templates, new configuration options, and several security hardening improvements like setting seccompProfile and better management of service account token automounting. While the core changes from upstream seem correct, I've identified a few issues with the packaging and documentation of this chart that need attention. Specifically, the main chart version has been incorrectly downgraded, the Makefile's update target appears to be broken, and the README contains a misleading version in an installation example. Please see my detailed comments for suggestions on how to resolve these issues.

gemini-code-assist · 2026-01-06T17:09:33Z

packages/system/kubeovn/Chart.yaml

 apiVersion: v2
 name: cozy-kubeovn
-version: 0.39.0
+version: 0.38.0


The chart version has been downgraded from 0.39.0 to 0.38.0. Since this pull request is for an update, the version should be incremented. It should likely be 0.40.0 to align with the KUBEOVN_TAG in the Makefile. Please correct the version to reflect an upgrade.

version: 0.40.0

gemini-code-assist · 2026-01-06T17:09:33Z

packages/system/kubeovn/Makefile

@@ -1,4 +1,4 @@
-KUBEOVN_TAG=v0.39.0
+KUBEOVN_TAG=v0.40.0


While KUBEOVN_TAG is updated to v0.40.0, the update target in this Makefile appears to be broken with this new tag for two reasons:

The rm -rf charts values.yaml Chart.yaml command will delete the parent chart's values.yaml and Chart.yaml, which is likely not the intended behavior.

The tar command uses the path kubeovn-$${tag#*v}/chart, but in the cozystack/kubeovn repository tag v0.40.0, the chart is located at charts/kube-ovn. The old path chart no longer exists.

Please correct the update target to ensure the chart update process is not broken and does not remove essential parent chart files.

gemini-code-assist · 2026-01-06T17:09:33Z

packages/system/kubeovn/charts/kube-ovn/README.md

+The Helm chart is available from GitHub Container Registry:
+
+```bash
+helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0


The installation example for the OCI registry refers to version v1.15.0, but this pull request updates the chart to v1.14.25. To avoid confusion for users, please update the version in the documentation to match the version being shipped in this PR.

Suggested change

helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0

helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.14.25

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @packages/system/kubeovn/charts/kube-ovn/README.md:
- Line 12: Update the example Helm install command in the README: replace the
hard-coded version string "--version v1.15.0" in the line "helm install kube-ovn
oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0" with "--version
v1.14.25" so the documented install command matches this PR's chart version.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0fb02e6 and d73773e.

📒 Files selected for processing (19)

packages/system/kubeovn/Chart.yaml
packages/system/kubeovn/Makefile
packages/system/kubeovn/charts/kube-ovn/Chart.yaml
packages/system/kubeovn/charts/kube-ovn/README.md
packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml
packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
packages/system/kubeovn/charts/kube-ovn/values.yaml
packages/system/kubeovn/values.yaml

🧰 Additional context used

📓 Path-based instructions (3)

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Git commits should follow [component] Description format and include --signoff flag

Files:

packages/system/kubeovn/charts/kube-ovn/README.md

packages/system/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

packages/system/kubeovn/charts/kube-ovn/README.md
packages/system/kubeovn/values.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
packages/system/kubeovn/Makefile
packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml
packages/system/kubeovn/charts/kube-ovn/values.yaml
packages/system/kubeovn/charts/kube-ovn/Chart.yaml
packages/system/kubeovn/Chart.yaml
packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl

**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

packages/system/kubeovn/values.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml
packages/system/kubeovn/charts/kube-ovn/values.yaml
packages/system/kubeovn/charts/kube-ovn/Chart.yaml
packages/system/kubeovn/Chart.yaml
packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml

🧠 Learnings (3)

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to **/*.yaml : Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Applied to files:

packages/system/kubeovn/Makefile
packages/system/kubeovn/charts/kube-ovn/Chart.yaml
packages/system/kubeovn/Chart.yaml

📚 Learning: 2025-07-23T09:15:09.658Z

Learnt from: lllamnyp
Repo: cozystack/cozystack PR: 1233
File: packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml:33-35
Timestamp: 2025-07-23T09:15:09.658Z
Learning: The `./charts/robotlb/` directory in the hetzner-robotlb package contains vendored code, and the team generally avoids modifying vendored code to maintain clean separation from upstream dependencies.

Applied to files:

packages/system/kubeovn/Makefile

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to packages/apps/** : Use Helm Chart umbrella pattern with vendored upstream charts in `charts/` directory

Applied to files:

packages/system/kubeovn/charts/kube-ovn/Chart.yaml

🪛 checkmake (0.2.2)

packages/system/kubeovn/Makefile

[warning] 1-1: Missing required phony target "all"

(minphony)

[warning] 1-1: Missing required phony target "clean"

(minphony)

[warning] 1-1: Missing required phony target "test"

(minphony)

🪛 YAMLlint (1.37.1)

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml

[error] 37-37: syntax error: expected , but found ''

(syntax)

🔇 Additional comments (24)

packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl (1)

2-7: LGTM: Defensive handling for dry-run and template scenarios.

The conditional wrapping ensures helm template and dry-run commands don't fail when no nodes are available, while preserving the error behavior when nodes exist but none match the master label.

Also applies to: 29-30

packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml (2)

1203-1248: LGTM: Well-documented tolerations schema for VpcEgressGateway.

The tolerations schema includes proper type constraints (enums for effect/operator), format specifications for tolerationSeconds, and comprehensive field descriptions matching Kubernetes toleration semantics.

2920-2921: LGTM: New autoCreateVlanSubinterfaces field for ProviderNetwork.

This boolean field enables automatic VLAN subinterface creation, expanding ProviderNetwork configuration options.

packages/system/kubeovn/charts/kube-ovn/Chart.yaml (1)

18-24: LGTM: Chart and app version aligned to v1.14.25.

The vendored chart metadata correctly reflects the upstream kube-ovn v1.14.25 release.

packages/system/kubeovn/charts/kube-ovn/values.yaml (2)

12-12: LGTM: Image tag updated to v1.14.25.

The image tag is consistent with the chart version bump.

114-118: LGTM: New CNI configuration options.

MOUNT_CNI_CONF_DIR and MOUNT_LOCAL_BIN_DIR provide additional flexibility for CNI configuration in different deployment environments.

packages/system/kubeovn/values.yaml (1)

67-68: LGTM: Image pinned with tag and digest.

Using both tag (v1.14.25) and digest ensures reproducible deployments with content verification.

packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml (1)

40-44: LGTM: Security hardening with explicit token mounting and seccomp profile.

automountServiceAccountToken: true makes the token mounting behavior explicit

seccompProfile.type: RuntimeDefault applies the container runtime's default seccomp profile, reducing the attack surface by filtering syscalls

These changes align with Kubernetes security best practices and Pod Security Standards.

packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml (1)

12-12: LGTM: Security hardening follows best practices.

The changes implement secure service account token handling:

ServiceAccount disables token automounting by default

Pod spec explicitly enables token mounting where needed (cleanup operations require API access)

RuntimeDefault seccomp profile adds syscall filtering

This follows the principle of least privilege and Kubernetes security best practices.

Also applies to: 106-110

packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml (1)

43-47: LGTM: Security hardening applied consistently.

The IC controller deployment correctly:

Explicitly enables service account token mounting (needed for Kubernetes API access)

Applies RuntimeDefault seccomp profile for syscall filtering

These changes align with the security hardening pattern applied across the chart.

packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml (1)

42-46: LGTM: Security configuration matches deployment requirements.

The OVN central deployment properly enables token mounting for API operations and applies RuntimeDefault seccomp profile, consistent with the chart-wide security hardening.

packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml (1)

6-6: LGTM: Secure-by-default service account configuration.

All four ServiceAccounts (ovn, ovn-ovs, kube-ovn-cni, kube-ovn-app) now disable automatic token mounting by default. This implements the principle of least privilege - pods must explicitly opt-in to token mounting via their pod specs (as configured in the deployment/daemonset templates).

Also applies to: 22-22, 38-38, 54-54

packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml (1)

49-53: LGTM: Controller security configuration is appropriate.

The kube-ovn-controller deployment correctly enables service account token mounting (essential for managing CNI resources via Kubernetes API) and applies RuntimeDefault seccomp profile. This completes the consistent security hardening pattern across all control plane components.

packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml (1)

31-35: LGTM! Security hardening improvements.

These changes improve the security posture of the pinger DaemonSet:

Explicit service account token mounting control

Setting hostPID: false removes unnecessary host PID namespace access

RuntimeDefault seccomp profile enforcement

The hostPID change from true to false is particularly notable as it reduces the attack surface by preventing the pinger from accessing host processes.

packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml (1)

14-14: LGTM! Proper least-privilege token mounting pattern.

The ServiceAccount disables automatic token mounting by default, while the Job pod spec explicitly enables it. This follows security best practices: deny by default at the ServiceAccount level, then opt-in explicitly where needed.

The RuntimeDefault seccomp profile further hardens the security posture.

Also applies to: 138-141

packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml (1)

30-35: LGTM! Consistent security hardening.

Explicit service account token control and RuntimeDefault seccomp profile align with the security improvements applied consistently across the kube-ovn chart templates.

packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml (2)

37-42: LGTM! Security hardening improvements.

Explicit service account token mounting and RuntimeDefault seccomp profile align with the security improvements applied across the chart.

51-51: Clarify the source of the sticky bit modification—this is not from official kube-ovn upstream.

The chmod +t /usr/local/sbin command at line 51 is not present in the official upstream kube-ovn v1.14.25 release. This chart is synced from the cozystack/kubeovn fork (as shown in the Makefile), not the official kubeovn/kube-ovn repository. The sticky bit appears to be a cozystack-specific modification. If verifying its purpose, check the cozystack fork's release notes or commit history rather than the official upstream.

Likely an incorrect or invalid review comment.

packages/system/kubeovn/Makefile (1)

1-1: No action required for the update target.

The update target works correctly with v0.40.0. The upstream repository has the chart structure kubeovn-0.40.0/chart/, which the tar extraction with --strip 2 correctly expands to the expected files (Chart.yaml, values.yaml, and charts/kube-ovn/) in the current directory. The rm -rf only removes files in the package directory and does not affect parent files. The Helm umbrella pattern is properly maintained.

Likely an incorrect or invalid review comment.

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (5)

29-29: Verify that explicit service account token mounting is required.

The CNI DaemonSet explicitly sets automountServiceAccountToken: true. While CNI components typically need Kubernetes API access for network operations, confirm this is intentional rather than accepting the default behavior implicitly.

32-34: Excellent security hardening with RuntimeDefault seccomp profile.

Using RuntimeDefault seccomp profile restricts the pod to a safe set of syscalls, improving the security posture of the CNI DaemonSet.

69-69: Good configurability improvements for CNI paths and pod information.

The changes make the CNI configuration directory path configurable via MOUNT_CNI_CONF_DIR and expose pod IPs to the install-cni init container. These improvements enhance chart flexibility and provide necessary runtime information.

Also applies to: 72-76, 83-83

37-44: Static analysis false positive on YAML syntax.

YAMLlint reports a syntax error at line 37, but the YAML syntax is valid. The multiline string syntax (- |) used in the init container command is standard YAML. This is a false positive that can be safely ignored.

42-44: Verify whether chmod +t is from upstream kube-ovn v1.14.25 or a local modification, and document its purpose.

This is a vendored upstream Kube-OVN chart (v1.14.25). If chmod +t /usr/local/sbin is a local modification, it should be applied using proper Helm Chart vendoring mechanisms (patches, overlays, or values) rather than direct edits to the vendored templates, per coding guidelines. Confirm whether this is part of the official upstream release, and if so, add inline documentation explaining why the sticky bit is needed on this directory.

coderabbitai · 2026-01-06T17:21:10Z

packages/system/kubeovn/charts/kube-ovn/README.md

+The Helm chart is available from GitHub Container Registry:
+
+```bash
+helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0


⚠️ Potential issue | 🟡 Minor

Update the version to match this PR (v1.14.25).

The installation example references v1.15.0, but this pull request updates the chart to v1.14.25. Update the documentation to reflect the correct version being shipped.

🔎 Suggested fix

-helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0 +helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.14.25

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0

helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.14.25

🤖 Prompt for AI Agents

In @packages/system/kubeovn/charts/kube-ovn/README.md at line 12, Update the example Helm install command in the README: replace the hard-coded version string "--version v1.15.0" in the line "helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0" with "--version v1.14.25" so the documented install command matches this PR's chart version.

kvaps · 2026-01-07T15:45:38Z

/retest

kvaps · 2026-01-07T20:18:02Z

/retest

github-actions · 2026-01-08T20:05:05Z

Successfully created backport PR for release-0.39:

[Backport release-0.39] [kube-ovn] Update to v1.14.25 #1837

# Description Backport of #1819 to `release-0.39`.

## What this PR does Update kube-ovn from v1.14.11 to v1.14.25. Changes synced from upstream include: - Updated chart templates - New configuration options in values ### Release note ```release-note [kube-ovn] Update to v1.14.25 ```  ## Summary by CodeRabbit * **New Features** * Added tolerations support for VpcNatGateway resources * Added automatic VLAN subinterface creation capability for provider networks * Enhanced installation documentation with OCI Registry and Talos Linux deployment examples * **Security Improvements** * Applied runtime-default seccomp profiles across deployments * Configured service account token mounting behavior for improved pod security * **Chores** * Updated Kube-OVN to v1.14.25 * Updated Helm chart metadata and dependencies <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub>

feat(kubeovn): update to v1.14.25

d73773e

Update kube-ovn from v1.14.11 to v1.14.25. Sync chart templates with upstream changes. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

kvaps added the backport Should change be backported on previus release label Jan 6, 2026

gemini-code-assist bot reviewed Jan 6, 2026

View reviewed changes

kvaps marked this pull request as ready for review January 6, 2026 17:12

kvaps requested review from lllamnyp and nbykov0 as code owners January 6, 2026 17:12

dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. enhancement New feature or request labels Jan 6, 2026

coderabbitai bot reviewed Jan 6, 2026

View reviewed changes

kvaps merged commit c2b1f7f into main Jan 8, 2026
52 of 66 checks passed

kvaps deleted the update-kubeovn-v1.14.25 branch January 8, 2026 20:04

github-actions bot mentioned this pull request Jan 8, 2026

[Backport release-0.39] [kube-ovn] Update to v1.14.25 #1837

Merged

kvaps added a commit that referenced this pull request Jan 8, 2026

[Backport release-0.39] [kube-ovn] Update to v1.14.25 (#1837)

8298763

# Description Backport of #1819 to `release-0.39`.

	helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.15.0
	helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn --version v1.14.25

		@@ -1,4 +1,4 @@
		KUBEOVN_TAG=v0.39.0
		KUBEOVN_TAG=v0.40.0

[kube-ovn] Update to v1.14.25 #1819

[kube-ovn] Update to v1.14.25 #1819

Uh oh!

Conversation

kvaps commented Jan 6, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What this PR does

Release note

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Jan 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Pre-merge checks

Uh oh!

gemini-code-assist bot commented Jan 6, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist bot Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist bot Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist bot Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

kvaps commented Jan 7, 2026

Uh oh!

kvaps commented Jan 7, 2026

Uh oh!

Uh oh!

github-actions bot commented Jan 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

kvaps commented Jan 6, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jan 6, 2026 •

edited

Loading