Update kube-ovn to latest version

[lllamnyp]

This commit bumps kube-ovn to 1.13.11 and uses the upstream image instead of building our own, now that the fixes necessary for kube-ovn to work properly in Talos have been released in the upstream.

Summary by CodeRabbit

• New Features

  • Added support for configurable log verbosity in Kube-OVN components via a new optional log verbosity flag.

• Improvements

  • Centralized network configuration by dynamically retrieving key values from an external ConfigMap, simplifying management.
  • Updated container image and chart versions to 1.13.11.
  • Adjusted container security capabilities and init container logic for improved consistency and reliability.

• Bug Fixes

  • Fixed issues related to conditional capability and command execution in container startup routines.

[coderabbitai]

Walkthrough

The updates focus on the Kube-OVN Helm chart and its deployment templates. Network configuration values are now sourced from an external ConfigMap instead of static Helm values. Logging verbosity is made configurable via a new argument. Image and chart versions are incremented, and capability and module management logic in container specs and Dockerfile is revised.

Changes

Files/Paths	Change Summary
.../kubeovn/charts/kube-ovn/Chart.yaml, .../kubeovn/charts/kube-ovn/values.yaml	Updated chart and image versions from 1.13.10 to 1.13.11; removed static IPv4 CIDR/gateway values from values.yaml.
.../kubeovn/charts/kube-ovn/templates/controller-deploy.yaml, .../ovncni-ds.yaml	Controller and CNI server startup commands updated to support optional log verbosity argument; network configuration now dynamically loaded from the "cozystack" ConfigMap using the Helm lookup function; removed previous static and conditional logic for network config selection.
.../kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml	Init container now conditionally loads kernel modules or creates symlinks based on DISABLE_MODULES_MANAGEMENT; mounts /lib/modules read-only; security context updated to always add NET_RAW and no longer conditionally add SYS_MODULE.
.../kubeovn/images/kubeovn/Dockerfile	Simplified Dockerfile by removing explicit Linux capability settings for binaries; updated base image version to v1.13.11.
.../kubeovn/patches/cozyconfig.diff	Helm chart templates patched to source network configuration from the "cozystack" ConfigMap; removed static IPv4/IPv6/dual-stack value logic; introduced optional log verbosity argument for controller and CNI server.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant HelmChart
    participant CozyConfigMap
    participant KubeOVNController
    participant CNIServer

    User->>HelmChart: Install/upgrade Kube-OVN chart
    HelmChart->>CozyConfigMap: lookup("cozystack", "cozy-system", keys)
    CozyConfigMap-->>HelmChart: Return network config values
    HelmChart->>KubeOVNController: Deploy with dynamic network args, optional --v
    HelmChart->>CNIServer: Deploy with dynamic network args, optional --v

Loading

Suggested labels

ok-to-test

Poem

In the warren of code, a new path appears,
With configs from Cozy, our network now steers.
Versions hop higher, logs get more clear,
Capabilities trimmed, the containers cheer!
🐇✨
So here’s to new charts, and templates anew—
The cluster’s more cozy, thanks all to you!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1cdeb07 and 3ac00ea.

📒 Files selected for processing (7)

• packages/system/kubeovn/charts/kube-ovn/Chart.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (2 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml (3 hunks)
• packages/system/kubeovn/charts/kube-ovn/values.yaml (1 hunks)
• packages/system/kubeovn/images/kubeovn/Dockerfile (1 hunks)
• packages/system/kubeovn/patches/cozyconfig.diff (3 hunks)

✅ Files skipped from review due to trivial changes (2)

• packages/system/kubeovn/charts/kube-ovn/values.yaml
• packages/system/kubeovn/images/kubeovn/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/system/kubeovn/charts/kube-ovn/Chart.yaml
• packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
• packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
• packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml

🔇 Additional comments (5)

packages/system/kubeovn/patches/cozyconfig.diff (5)

10-23: Improved configuration management using external ConfigMap

This change replaces hardcoded network configuration with dynamic values retrieved from the "cozystack" ConfigMap in the "cozy-system" namespace. This is a good architectural improvement as it:

1. Centralizes network configuration management
2. Removes the need for conditional logic based on network stack type
3. Simplifies maintenance by having a single source of truth

The lookup function is correctly used to access the ConfigMap data.

---

24-26: Enhanced logging configuration with verbosity control

Adding the --v argument conditionally is a good improvement that allows configurable logging verbosity. This will help with troubleshooting and debugging in production environments.

---

38-58: Streamlined controller network configuration

Similar to the CNI server changes, the controller deployment now retrieves network configuration from the central ConfigMap. The changes significantly reduce code complexity by:

1. Eliminating duplicated conditional statements
2. Centralizing network configuration management
3. Directly accessing required values with clear keys (ipv4-pod-cidr, ipv4-pod-gateway)

This change aligns well with the PR objective of simplifying maintenance by using upstream configurations.

---

81-85: Consistent ConfigMap usage and verbosity control

The approach for configuration is consistent with previous changes, retrieving node-switch-cidr and service-cluster-ip-range from the ConfigMap. The addition of the log verbosity parameter matches the pattern used in other components, ensuring a uniform approach to logging configuration across the kube-ovn deployment.

---

96-100: Removed redundant static network configuration values

Removing the static IPv4 network configuration values from values.yaml is appropriate since these values are now sourced from the external ConfigMap. This change:

1. Eliminates potential configuration conflicts
2. Reduces maintenance overhead
3. Supports the PR objective of moving to the upstream image without custom configurations

This is a positive change that avoids duplication and centralizes network configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

packages/system/kubeovn/patches/cozyconfig.diff (1)

1-104: 💡 Verification agent

🧩 Analysis chain

Verify the ConfigMap exists in target environments

The PR switches to dynamic retrieval of network configuration from a ConfigMap named "cozystack" in the "cozy-system" namespace. This approach is cleaner but requires this ConfigMap to exist.

---

🏁 Script executed:

#!/bin/bash

# Check if the cozystack ConfigMap exists in the cozy-system namespace
kubectl get configmap cozystack -n cozy-system -o yaml 2>/dev/null

if [ $? -eq 0 ]; then
  echo "ConfigMap 'cozystack' exists in 'cozy-system' namespace."
  
  # Check if the required keys exist in the ConfigMap
  kubectl get configmap cozystack -n cozy-system -o jsonpath='{.data}' | grep -E "ipv4-(pod-cidr|pod-gateway|join-cidr|svc-cidr)"
  
  if [ $? -eq 0 ]; then
    echo "Required network configuration keys found in ConfigMap."
  else
    echo "WARNING: One or more required network configuration keys missing from ConfigMap."
  fi
else
  echo "WARNING: ConfigMap 'cozystack' does not exist in 'cozy-system' namespace."
fi

Length of output: 245

---

Missing cozystack ConfigMap in cozy-system namespace

The dynamic lookup of cozystack is going to fail at runtime because the ConfigMap does not exist. You need to ensure it’s created with the following data keys before deploying these changes:

Affected templates:

• packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
• packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml

Required cozystack ConfigMap data keys:

• ipv4-pod-cidr
• ipv4-pod-gateway
• ipv4-join-cidr
• ipv4-svc-cidr

Please add this ConfigMap (or provide Helm chart pre-install hooks) so that the lookup calls succeed.

🧹 Nitpick comments (1)

packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml (1)

103-103: Verify NET_RAW capability and consider tightening privileges
Granting NET_RAW is reasonable for raw socket operations, but please confirm it’s required by upstream kube-ovn. Also review whether SYS_NICE and SYS_ADMIN are still necessary now that module management is offloaded; you may be able to drop them to adhere to least-privilege principles.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dca732c and 1cdeb07.

📒 Files selected for processing (10)

• Makefile (0 hunks)
• packages/system/kubeovn/Makefile (0 hunks)
• packages/system/kubeovn/charts/kube-ovn/Chart.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml (1 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (2 hunks)
• packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml (3 hunks)
• packages/system/kubeovn/charts/kube-ovn/values.yaml (1 hunks)
• packages/system/kubeovn/images/kubeovn/Dockerfile (0 hunks)
• packages/system/kubeovn/patches/cozyconfig.diff (3 hunks)
• packages/system/kubeovn/values.yaml (0 hunks)

💤 Files with no reviewable changes (4)

• Makefile
• packages/system/kubeovn/values.yaml
• packages/system/kubeovn/images/kubeovn/Dockerfile
• packages/system/kubeovn/Makefile

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Build and Test

🔇 Additional comments (13)

packages/system/kubeovn/charts/kube-ovn/values.yaml (1)

13-13: Version updated to match upstream release

The tag has been updated from v1.13.10 to v1.13.11, aligning with the PR objective to upgrade kube-ovn and use the official upstream image.

packages/system/kubeovn/charts/kube-ovn/Chart.yaml (1)

18-18: Version bumps to 1.13.11

Both chart version and appVersion are updated to 1.13.11 to match the new upstream kube-ovn version.

Also applies to: 24-24

packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml (1)

86-88: Added configurable log verbosity

New configuration allows setting log verbosity level through .Values.global.logVerbosity, improving debugging capabilities.

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml (2)

38-38: Simplified initContainer command

The conditional logic for running iptables -V has been removed, making the command run unconditionally which simplifies the initialization process.

---

92-94: Added configurable log verbosity

Similar to the controller deployment, this change adds support for configurable log verbosity level through .Values.global.logVerbosity.

packages/system/kubeovn/patches/cozyconfig.diff (6)

10-10: Switched to dynamic network configuration

The patch now retrieves service cluster IP range from the ConfigMap instead of using static values, allowing for centralized configuration management.

Also applies to: 23-23

---

24-26: Added log verbosity configuration

Added optional log verbosity flag for improved debugging capabilities.

---

38-38: Switched controller to use ConfigMap for network configuration

The controller deployment now retrieves pod CIDR and gateway values from the ConfigMap. This is a cleaner approach than the previous static configuration with conditionals based on network stack type.

Also applies to: 57-58

---

81-82: Switched to ConfigMap for node switch CIDR and service CIDR

Node switch CIDR and service CIDR now come from the ConfigMap, completing the transition to dynamic network configuration retrieval.

---

83-85: Added log verbosity for controller

Added verbosity flag consistent with the previous changes to the controller deployment template.

---

97-100: Removed static network configuration values

Static network configuration values have been removed from values.yaml since they're now retrieved from the ConfigMap. This eliminates duplicate configuration and potential sources of inconsistency.

packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml (2)

53-59: Confirm DISABLE_MODULES_MANAGEMENT flag mapping and default
Ensure that .Values.DISABLE_MODULES_MANAGEMENT is defined in values.yaml, correctly defaults to false, and that the inverted guard (if not .Values.DISABLE_MODULES_MANAGEMENT) aligns with the intended module-loading behavior.

---

68-70: Approve mounting host modules in init container
The read-only mount of /lib/modules into the init container is necessary for kernel module inspection and symlink setup. This aligns with the module-management logic and matches the hostPath volume defined below.

[kvaps]

Please keep the image target, I hope some day we'll move all images into Cozystack

[kvaps]

Please keep the image target, I hope some day we'll move all images into Cozystack

[kvaps]

LGTM