Skip to content

fix(t8s-cluster/management-cluster): add missing securityGroupRule for cilium hubble#1971

Merged
cwrau merged 1 commit intomainfrom
fix/t8s-cluster/add-missing-cilium-hubble-security-group-rule
Feb 6, 2026
Merged

fix(t8s-cluster/management-cluster): add missing securityGroupRule for cilium hubble#1971
cwrau merged 1 commit intomainfrom
fix/t8s-cluster/add-missing-cilium-hubble-security-group-rule

Conversation

@cwrau
Copy link
Member

@cwrau cwrau commented Feb 5, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features

    • Added Hubble relay port (4244) support for Cilium CNI in OpenStack clusters.

  • Chores

    • Simplified OpenStack cluster template configuration by removing conditional security group rules for hosted control plane scenarios.

Copilot AI review requested due to automatic review settings February 5, 2026 09:59
@cwrau cwrau enabled auto-merge February 5, 2026 09:59
@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 5, 2026

Summary of Changes

Hello @cwrau, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical networking requirement by introducing a security group rule for Cilium Hubble Relay within the OpenStackClusterTemplate. This ensures proper communication for the Hubble component, which is essential for network observability and troubleshooting in clusters where Cilium is deployed as the CNI. The change improves the robustness and functionality of Cilium-enabled Kubernetes clusters.

Highlights

  • Cilium Hubble Security Group Rule: A new security group rule has been added for 'hubble relay (http)' on port 4244, specifically for clusters utilizing Cilium as their Container Network Interface (CNI).
  • Refactoring of Native Routing Rules: The conditional inclusion of 'allow pod-pod native routing (ingress)' and 'allow node-pod native routing (ingress)' security group rules has been removed from within the Cilium CNI configuration block.
Changelog
  • charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml
    • Added a security group rule for 'hubble relay (http)' on port 4244 when Cilium is selected as the CNI.
    • Removed the conditional block that previously added 'allow pod-pod native routing (ingress)' and 'allow node-pod native routing (ingress)' rules when controlPlane.hosted was true within the Cilium CNI configuration.
Activity
  • No human activity (comments, reviews, etc.) has been recorded on this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@coderabbitai
Copy link

coderabbitai bot commented Feb 5, 2026
edited
Loading

📝 Walkthrough

Walkthrough

A Helm template for OpenStack cluster configuration is modified to add a Cilium-specific security group rule for Hubble relay (port 4244) and remove two conditional security group rules previously applied to hosted control plane scenarios.

Changes

Cohort / File(s) Summary
OpenStack Cluster Template
charts/t8s-cluster/templates/management-cluster/clusterClass/openStackClusterTemplate/_openStackClusterTemplateSpec.yaml		 Added Cilium-specific security group rule "hubble relay (http)" on port 4244. Removed conditional block that added pod-pod and node-pod native routing ingress rules for hosted control plane deployments. Simplified template structure by streamlining conditional logic closure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

t8s-cluster

Suggested reviewers

  • tasches
  • marvinWolff
  • teutonet-bot

Poem

🐰 In the cluster's misty realm, Cilium hops with care,
Hubble relay on port 4244 floats through the air,
Old native routes fade away, like rabbits in the night,
With cleaner template logic now, everything feels right!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(t8s-cluster/management-cluster): add missing securityGroupRule for cilium hubble' accurately describes the main change - adding a security group rule for cilium hubble relay.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/t8s-cluster/add-missing-cilium-hubble-security-group-rule

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 5, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly adds a missing security group rule for Cilium's Hubble Relay, which is necessary for its operation. Additionally, it cleans up dead code and fixes a template syntax error, improving the chart's maintainability. The changes are sound and I have no further suggestions.

Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a missing security group rule for Cilium's Hubble Relay service and removes unreachable dead code that was attempting to add network routing rules within an incorrect conditional block.

Changes:

  • Added security group rule for Cilium Hubble Relay on port 4244
  • Removed dead code that defined pod-pod and node-pod native routing rules within an unreachable conditional block

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cwrau cwrau added this pull request to the merge queue Feb 6, 2026
Merged via the queue into main with commit f36f231 Feb 6, 2026
39 checks passed
@cwrau cwrau deleted the fix/t8s-cluster/add-missing-cilium-hubble-security-group-rule branch February 6, 2026 08:08
@teutonet-bot teutonet-bot mentioned this pull request Feb 5, 2026
Merged
github-merge-queue bot pushed a commit that referenced this pull request Feb 25, 2026
@teutonet-bot @github-actions
chore(main): [bot] release t8s-cluster:9.6.0 (#1945)
68f4bf5 
🤖 I have created a release *beep* *boop*
---


##
[9.6.0](t8s-cluster-v9.5.2...t8s-cluster-v9.6.0)
(2026-02-25)


### Features

* **t8s-cluster/management-cluster:** add `compute-plane` role label to
nodes
([#1953](#1953))
([f5897e3](f5897e3))
* **t8s-cluster/management-cluster:** add quotas fied to cluster
([#1998](#1998))
([3123514](3123514))
* **t8s-cluster/management-cluster:** ignore local storage for
autoscaler
([#1973](#1973))
([d4abff8](d4abff8))


### Bug Fixes

* **t8s-cluster/management-cluster:** add missing securityGroupRule for
cilium hubble
([#1971](#1971))
([f36f231](f36f231))
* **t8s-cluster/management-cluster:** adjust test helmRepositories
([#1964](#1964))
([66be444](66be444))
* **t8s-cluster/management-cluster:** remove hardcoded field
([#1984](#1984))
([227af97](227af97))
* **t8s-cluster/workload-cluster:** add missing tolerations
([#1933](#1933))
([8718c0d](8718c0d))
* **t8s-cluster/workload-cluster:** correctly set extraArgs value
([#2003](#2003))
([6e558f0](6e558f0))
* **t8s-cluster/workload-cluster:** migrate extraArgs type to string
([#1985](#1985))
([79d6df5](79d6df5))


### Miscellaneous Chores

* **t8s-cluster/dependencies:** update common docker tag to v1.8.0
([#1940](#1940))
([cdf387f](cdf387f))
* **t8s-cluster/dependencies:** update helm release cilium to v1.19.0
([#1969](#1969))
([e95a9a5](e95a9a5))
* **t8s-cluster/dependencies:** update helm release cluster-autoscaler
to v9.55.0
([#1963](#1963))
([659a529](659a529))
* **t8s-cluster/dependencies:** update helm release openstack-cinder-csi
to v2.35.0
([#1970](#1970))
([741d5b2](741d5b2))
* **t8s-cluster/dependencies:** update helm release
openstack-cloud-controller-manager to v2.35.0
([#1941](#1941))
([a580142](a580142))
* **t8s-cluster/dependencies:** update registry.k8s.io/etcd docker tag
to v3.6.8
([#1996](#1996))
([aa7d054](aa7d054))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@marvinWolff marvinWolff marvinWolff approved these changes

@tasches tasches Awaiting requested review from tasches tasches is a code owner

@teutonet-bot teutonet-bot Awaiting requested review from teutonet-bot teutonet-bot is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@cwrau cwrau

Labels

t8s-cluster

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cwrau @marvinWolff @teutonet-bot