Skip to content

refactor(cilium-conf): migrate from OLM to cilium install --dry-run#81398

Open
mgencur wants to merge 1 commit into
openshift:mainfrom
mgencur:update_cilium
Open

refactor(cilium-conf): migrate from OLM to cilium install --dry-run#81398
mgencur wants to merge 1 commit into
openshift:mainfrom
mgencur:update_cilium

Conversation

@mgencur

@mgencur mgencur commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Replace deprecated isovalent/olm-for-cilium OLM manifest download with cilium CLI's install --dry-run to generate day-0 manifests. This aligns with the cucushift reference script's approach while preserving the day-0 nature of the step (manifests stored in SHARED_DIR for installer).

Changes:

  • Download cilium CLI v0.19.2 and use it to render Helm chart manifests
  • Add cniVersion override ConfigMap manifest (OCPBUGS-86033 workaround)
  • Add SCC ClusterRoleBinding for cilium service accounts
  • Update CILIUM_VERSION from 1.13.9 to 1.19.4
  • Add CILIUM_CLI_VERSION env var (default 0.19.2) to ref.yaml

Summary by CodeRabbit

This updates the Cilium day-0 manifest generation used by OpenShift CI so it no longer depends on downloading the deprecated OLM-for-Cilium bundle. Instead, the step now uses cilium-cli with cilium install --dry-run to render the manifests, stores them in SHARED_DIR, and aligns the flow with the cucushift reference approach.

Practically, this changes the CI bootstrap assets for Cilium installation by:

  • bumping the Cilium version used for generated manifests to 1.19.4
  • adding a configurable Cilium CLI version defaulting to 0.19.2
  • generating supporting manifests for the namespace, CNI override ConfigMap, DNS egress policy, and SCC ClusterRoleBinding needed for OpenShift
  • adding a cniVersion override workaround for the affected cluster setup

Replace deprecated isovalent/olm-for-cilium OLM manifest download with
cilium CLI's install --dry-run to generate day-0 manifests. This aligns
with the cucushift reference script's approach while preserving the
day-0 nature of the step (manifests stored in SHARED_DIR for installer).

Changes:
- Download cilium CLI v0.19.2 and use it to render Helm chart manifests
- Add cniVersion override ConfigMap manifest (OCPBUGS-86033 workaround)
- Add SCC ClusterRoleBinding for cilium service accounts
- Update CILIUM_VERSION from 1.13.9 to 1.19.4
- Add CILIUM_CLI_VERSION env var (default 0.19.2) to ref.yaml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

The Cilium configuration step script and its reference YAML were updated. The script now installs cilium-cli and generates Cilium CNI manifests dynamically via cilium install --dry-run, replacing the prior OLM manifest retrieval flow. New version variables (CILIUM_VERSION, CILIUM_CLI_VERSION) and defaults were added, along with static manifests for namespace, ConfigMap, NetworkPolicy, and ClusterRoleBinding.

Changes

Cilium CNI Manifest Generation

Layer / File(s) Summary
Version and config defaults
ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh, ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml
Adds CILIUM_VERSION, CILIUM_CLI_VERSION, ENDPOINT_ROUTES, HUBBLE, and SHARED_DIR defaults in the script; updates CILIUM_VERSION default to 1.19.4 and adds CILIUM_CLI_VERSION default 0.19.2 with new documentation in the ref YAML, plus updated step description.
cilium-cli install and static manifests
ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
Downloads and installs cilium-cli, replacing the OLM manifest packaging flow, and writes static manifests for the cilium namespace, a CNI-version-override ConfigMap, and a DNS-to-kube-apiserver egress NetworkPolicy.
ClusterRoleBinding and dynamic manifest splitting
ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
Generates a privileged SCC ClusterRoleBinding manifest, runs cilium install --dry-run, splits the resulting multi-document YAML, removes empty outputs, and renames each document into a deterministic filename under ${SHARED_DIR} based on kind/name.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Script as cilium-conf-commands.sh
  participant CLI as cilium-cli
  participant SharedDir as SHARED_DIR

  Script->>CLI: install cilium-cli tarball
  Script->>SharedDir: write namespace, ConfigMap, NetworkPolicy manifests
  Script->>SharedDir: write ClusterRoleBinding manifest
  Script->>CLI: cilium install --dry-run
  CLI-->>Script: multi-document YAML
  Script->>Script: split YAML into per-document files
  Script->>SharedDir: write per-manifest files named by kind/name
Loading

Related Issues: None found

Related PRs: None found

Suggested labels: ci-operator, step-registry, cilium

Suggested reviewers: None specified

🐰💨

Manifests hop from OLM's old den,
cilium-cli builds fresh again,
split and named, each YAML flies,
into SHARED_DIR where it lies.


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Container-Privileges ❌ Error FAIL: cilium-conf-commands.sh adds a ClusterRoleBinding to system:openshift:scc:privileged for Cilium SAs, granting privileged SCC access. Drop the privileged SCC binding or replace it with the least-privilege SCC needed; add justification if privileged access is unavoidable.
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning The new cilium-conf step hard-codes IPv4-only settings and downloads from github.com/quay.io, so it will fail in IPv6-only disconnected jobs. Detect IP family and avoid IPv4-only CIDRs/flags; mirror cilium-cli/charts internally or skip the step in disconnected jobs.
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: replacing OLM-based Cilium manifest generation with cilium install --dry-run.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR does not contain any Ginkgo test files or test definitions. Files changed are bash scripts and YAML configurations for CI/operator step registry, not test files.
Test Structure And Quality ✅ Passed No Ginkgo test code is touched; the PR only changes shell/YAML step-registry files, so this checklist is not applicable.
Microshift Test Compatibility ✅ Passed PASS: The PR only changes a step-registry shell script and YAML metadata; no Ginkgo test blocks were added or modified, so MicroShift compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only changes a shell step-registry script and YAML config; no Ginkgo e2e tests were added, so the SNO check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed The PR adds generic Cilium manifests and no topology-sensitive anti-affinity, nodeSelectors, spread constraints, PDBs, or replica logic.
Ote Binary Stdout Contract ✅ Passed PR only changes a Bash step script and YAML refs; no OTE binary entrypoints or process-level stdout code are present.
No-Weak-Crypto ✅ Passed Reviewed the changed Cilium files; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons appear.
No-Sensitive-Data-In-Logs ✅ Passed The script uses set -x and prints manifest generation steps, but it does not log secrets, tokens, PII, or internal/customer data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@mgencur

mgencur commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance

@openshift-ci openshift-ci Bot requested review from jtaleric and sosiouxme July 2, 2026 13:24
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mgencur
Once this PR has been reviewed and has the lgtm label, please assign jtaleric for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@mgencur: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
periodic-ci-openshift-release-main-ci-4.12-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.18-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.13-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.10-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.15-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.17-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.16-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.17-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.14-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.22-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.15-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.10-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.18-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.9-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-5.0-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.21-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.17-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.20-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.14-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.15-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.22-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.11-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.23-e2e-azure-cilium N/A periodic Registry content changed

A total of 55 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh`:
- Around line 32-37: Install cilium-cli into an isolated temporary directory
instead of the fixed /tmp/bin path in the cilium-conf-commands.sh setup block.
Update the install flow around the cilium-cli download/extract commands to
create a unique directory with mktemp -d, extract the tarball there, chmod the
resulting cilium binary, and export PATH using that generated directory so the
install cannot collide with existing files or symlinks.
- Around line 136-139: The Helm --set arguments in the cilium-conf-commands.sh
command block are vulnerable to shell globbing because the array-style keys are
unquoted. Update the helm invocation around the extraVolumes and
extraVolumeMounts settings so the keys like extraVolumes[0],
extraVolumes[0].configMap.name, extraVolumeMounts[0], and
extraVolumeMounts[0].mountPath are quoted consistently, using the same command
block that builds the Cilium install arguments.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 278b0c5f-91f5-420a-aa65-42067951d109

📥 Commits

Reviewing files that changed from the base of the PR and between e962170 and f58e713.

📒 Files selected for processing (2)
  • ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
  • ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml

Comment thread ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
Comment on lines +136 to +139
--set extraVolumes[0].name=cni-override \
--set extraVolumes[0].configMap.name=cilium-cni-override \
--set extraVolumeMounts[0].name=cni-override \
--set extraVolumeMounts[0].mountPath=/etc/cilium-cni \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
tmp="$(mktemp -d)"
cd "$tmp"
touch 'extraVolumes0.name=cni-override'
printf '<%s>\n' --set extraVolumes[0].name=cni-override
printf '<%s>\n' --set 'extraVolumes[0].name=cni-override'

Repository: openshift/release

Length of output: 241


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh"

# Show the relevant section with line numbers
sed -n '120,150p' "$file" | cat -n

# Check whether the script is using shell globbing-sensitive Helm --set keys in a command context
rg -n --fixed-strings --context 2 'extraVolumes[0].name=cni-override|extraVolumeMounts[0].name=cni-override|extraVolumes[0].configMap.name=cilium-cni-override|extraVolumeMounts[0].mountPath=/etc/cilium-cni' "$file"

Repository: openshift/release

Length of output: 1813


Quote the Helm array keys here. extraVolumes[0] and extraVolumeMounts[0] are subject to shell globbing, so a matching filename in the working directory can change the helm --set arguments.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh` around lines
136 - 139, The Helm --set arguments in the cilium-conf-commands.sh command block
are vulnerable to shell globbing because the array-style keys are unquoted.
Update the helm invocation around the extraVolumes and extraVolumeMounts
settings so the keys like extraVolumes[0], extraVolumes[0].configMap.name,
extraVolumeMounts[0], and extraVolumeMounts[0].mountPath are quoted
consistently, using the same command block that builds the Cilium install
arguments.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@mgencur: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/periodic-ci-openshift-hypershift-release-4.22-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance f58e713 link unknown /pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant