fix(cilium): add CNI override ConfigMap for Cilium by mgencur · Pull Request #79593 · openshift/release

mgencur · 2026-05-21T11:00:23Z

…o OCP 5.0

Create a cilium-cni-override ConfigMap with cniVersion 0.4.0 to work around the CNI 0.3.1 incompatibility (OCPBUGS-86033). Mount the override into the cilium agent via readCniConf/extraVolumes and drop the now-redundant cni.chainingMode flag.

Also extend the network-policies version gate to include OCP 5.0.

Ref: https://redhat.atlassian.net/browse/OCPBUGS-86033

/hold

Summary by CodeRabbit

This PR updates the OpenShift HyperShift CI infrastructure to work around a Cilium CNI compatibility issue (OCPBUGS-86033) by introducing a CNI configuration override mechanism for test environments.

Main Changes:

Cilium Installation Step (cucushift-hypershift-extended-cilium-commands.sh):

Adds a cilium-cni-override ConfigMap that explicitly sets cniVersion to 0.4.0, working around an incompatibility with CNI version 0.3.1
Updates the Cilium agent installation to mount and use this override configuration via the cni.readCniConf parameter
Configures the override as an extra volume in the Cilium pod deployment
Removes the cni.chainingMode=portmap flag from the installation arguments, as it's now handled by the override ConfigMap

Network Policy Workarounds (network-policies-commands.sh):

Extends the version gate for Cilium/NetworkPolicy workarounds to include both OCP 4.22 and 5.0 (previously only 4.22)
This ensures the necessary workarounds are applied in both supported release branches

CI Configuration Updates (openshift-hypershift-release-{4.23,5.0}__periodics.yaml):

Removes the TEST_SKIPS configuration from the e2e-aws-conformance-cilium periodic test jobs for both 4.23 and 5.0 release branches
This simplifies the job configuration while maintaining the core test workflow

Practical Impact: These changes enable the HyperShift CI/CD pipeline to properly test Cilium networking in OpenShift environments by ensuring correct CNI version compatibility, while also preparing the infrastructure for OCP 5.0 support.

coderabbitai · 2026-05-21T11:00:50Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0512a26c-5d5c-48e9-b1bb-9bb52e34810a

📥 Commits

Reviewing files that changed from the base of the PR and between 9de2c93 and 9555c30.

📒 Files selected for processing (2)

ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.23__periodics.yaml
ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml

💤 Files with no reviewable changes (2)

ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml
ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.23__periodics.yaml

Walkthrough

This PR updates Cilium installation and NetworkPolicy test logic in HyperShift extended test scenarios. The main change adds a ConfigMap-based CNI configuration override that is mounted into Cilium pods, and expands version-conditional workarounds to support both OCP 4.22 and 5.0.

Changes

Hypershift Cilium extended test updates

Layer / File(s)	Summary
Cilium CNI config override via ConfigMap `ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh`	A `cilium-cni-override` ConfigMap is created with explicit CNI version (0.4.0) and plugin definitions (cilium-cni, portmap), then mounted and referenced in cilium install flags via `cni.readCniConf`, `extraVolumes`, and `extraVolumeMounts`. The `cni.chainingMode=portmap` flag is removed from the install arguments.
NetworkPolicy workaround version allowlist `ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh`	Conditional logic for applying Cilium/NetworkPolicy workarounds is updated to skip only when OCP version is neither 4.22 nor 5.0, expanding support from 4.22 alone.
Periodic job TEST_SKIPS removal `ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.23__periodics.yaml`, `ci-operator/config/openshift/hypershift/openshift-hypershift-release-5.0__periodics.yaml`	Deleted the `steps.env.TEST_SKIPS` blocks from the `e2e-aws-conformance-cilium` periodic job definitions, leaving cluster_profile and workflow fields.

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels: lgtm, ok-to-test, rehearsals-ack, jira/valid-bug, jira/severity-moderate, jira/valid-reference

Suggested reviewers:

asood-rh
memodi

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding a CNI override ConfigMap for Cilium, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only CI/CD infrastructure files (shell scripts and YAML configs). No Ginkgo test files are modified, so the check is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo test code found in PR. Modified files are bash scripts and YAML CI configs, not Ginkgo test code, so the check is not applicable.
Microshift Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests; it only modifies CI/CD infrastructure (shell scripts and YAML configs). The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are to bash scripts and YAML CI configuration files only, making the SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies CI test scripts and job configuration files, not deployment manifests. No topology-aware scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only shell scripts and YAML CI configuration; no OTE binary source code changes. OTE Binary Stdout Contract check applies only to Go test code compiled into binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests—only shell scripts and YAML configuration changes. Custom check only applies to new test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

mgencur · 2026-05-21T11:47:59Z

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-cilium

openshift-merge-bot · 2026-05-21T11:48:02Z

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

…o OCP 5.0 Create a cilium-cni-override ConfigMap with cniVersion 0.4.0 to work around the CNI 0.3.1 incompatibility (OCPBUGS-86033). Mount the override into the cilium agent via readCniConf/extraVolumes and drop the now-redundant cni.chainingMode flag. Also extend the network-policies version gate to include OCP 5.0. Ref: https://redhat.atlassian.net/browse/OCPBUGS-86033 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

The excluded tests are already in the workflow itself, no need to exclude them again.

mgencur · 2026-05-25T05:45:50Z

/pj-rehearse periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-cilium

openshift-merge-bot · 2026-05-25T05:46:38Z

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-05-25T05:46:56Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mgencur
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-merge-bot · 2026-05-25T05:50:16Z

[REHEARSALNOTIFIER]
@mgencur: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-kubevirt-metal-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.22-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-cilium-private	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-conformance-cilium	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-kubevirt-metal-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.21-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-conformance-cilium-private	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-cilium-stage-full-f60	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-kubevirt-metal-conformance-cilium	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-conformance-cilium-private	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-mce-e2e-agent-connected-cilium-ipv4-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.23-periodics-e2e-aws-conformance-cilium	N/A	periodic	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

openshift-ci · 2026-05-25T08:47:13Z

@mgencur: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 21, 2026

mgencur changed the title ~~fix(cilium): add CNI override ConfigMap and extend network-policies t…~~ fix(cilium): add CNI override ConfigMap for Cilium May 21, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 21, 2026

openshift-ci Bot requested review from sosiouxme and xueqzhan May 21, 2026 11:01

mgencur mentioned this pull request May 21, 2026

[release-4.22] NVIDIA-596: Enable dpu healthcheck openshift/cluster-network-operator#3009

Open

mgencur and others added 3 commits May 25, 2026 07:42

Update cilium periodics for 4.23 and 5.0

7e62295

The excluded tests are already in the workflow itself, no need to exclude them again.

Remove redundant NetworkPolicies for cilium after merging OCPBUGS-86034

9555c30

mgencur force-pushed the cilium_cli_override_cni branch from 9de2c93 to 9555c30 Compare May 25, 2026 05:45

openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 25, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(cilium): add CNI override ConfigMap for Cilium#79593

fix(cilium): add CNI override ConfigMap for Cilium#79593
mgencur wants to merge 3 commits into
openshift:mainfrom
mgencur:cilium_cli_override_cni

mgencur commented May 21, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented May 21, 2026 •

edited

Loading

Uh oh!

mgencur commented May 21, 2026

Uh oh!

openshift-merge-bot Bot commented May 21, 2026

Uh oh!

mgencur commented May 25, 2026

Uh oh!

openshift-merge-bot Bot commented May 25, 2026

Uh oh!

openshift-ci Bot commented May 25, 2026

Uh oh!

openshift-merge-bot Bot commented May 25, 2026

Uh oh!

openshift-ci Bot commented May 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

mgencur commented May 21, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Uh oh!

mgencur commented May 21, 2026

Uh oh!

openshift-merge-bot Bot commented May 21, 2026

Uh oh!

mgencur commented May 25, 2026

Uh oh!

openshift-merge-bot Bot commented May 25, 2026

Uh oh!

openshift-ci Bot commented May 25, 2026

Uh oh!

openshift-merge-bot Bot commented May 25, 2026

Uh oh!

openshift-ci Bot commented May 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

mgencur commented May 21, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 21, 2026 •

edited

Loading