fix(helm): use native gRPC probe on relay :4222 and bump default to v1.17.15#2282
Open
pesarkhobeee wants to merge 2 commits into
Open
fix(helm): use native gRPC probe on relay :4222 and bump default to v1.17.15#2282pesarkhobeee wants to merge 2 commits into
pesarkhobeee wants to merge 2 commits into
Conversation
The chart's hubble-relay probe template branches between a native gRPC probe and exec'ing `grpc_health_probe`, gated on Kubernetes version and `hubble.tls.enabled`. With the default `hubble.tls.enabled: true` the exec branch is selected, but upstream Cilium removed the `grpc_health_probe` binary from the hubble-relay image in cilium/cilium#37806, so any chart user pinning a v1.16+ relay image hits `executable file not found in $PATH` on every startup probe and the rollout stalls. Switch the probe to the relay's dedicated gRPC health server on :4222, which is always plaintext regardless of `hubble.tls.enabled` (TLS only applies to the main API listener on `listenPort`). This matches the approach upstream Cilium's chart already uses since they dropped the binary, and works for both TLS-enabled and TLS-disabled deployments without forcing operators to disable TLS just to upgrade the relay image. Refs: microsoft#2165 Signed-off-by: pesarkhobeee <ahmadian.farid.1988@gmail.com>
Switch the chart's default hubble-relay image from mcr.microsoft.com/oss/cilium/hubble-relay:v1.15.0 to the official upstream registry quay.io/cilium/hubble-relay at v1.17.15. v1.17 is the lowest currently-supported Cilium minor and v1.17.15 is its latest patch, which keeps the jump from the previous default (1.15.0) as small as possible while landing on a maintained release line. Refs: microsoft#2165 Signed-off-by: pesarkhobeee <ahmadian.farid.1988@gmail.com>
Author
|
@microsoft-github-policy-service agree [company="goflink"] |
Author
|
@microsoft-github-policy-service agree company="goflink" |
nddq
requested changes
May 5, 2026
| repository: "mcr.microsoft.com/oss/cilium/hubble-relay" | ||
| tag: "v1.15.0" | ||
| digest: "sha256:19cd56e7618832257bf88b2f281287cb57f9f7fcb9e04775a6198d4bc4daffae" | ||
| repository: "quay.io/cilium/hubble-relay" |
Member
There was a problem hiding this comment.
I think we should change all hubble related repo to quay.io as well, since the mcr images are deprecated
| - -rpc-timeout=5s | ||
| {{- end }} | ||
| {{- end }} | ||
| port: 4222 |
Member
There was a problem hiding this comment.
lets parameterize this in values.yaml
| repository: "quay.io/cilium/hubble-relay" | ||
| tag: "v1.17.15" | ||
| digest: "sha256:60dcac76e5841a14d5c4813377cb463822db78568146e8c93ffc5b5cc0e894fb" | ||
| useDigest: false |
Member
There was a problem hiding this comment.
let's flip this to true to leverage the sha digest
Contributor
|
@pesarkhobeee I've addressed the review comments in pesarkhobeee#1 if you'd like to take a look |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2165
Summary
templates/hubble-relay/deployment.yaml— replace the conditionalgrpc_health_probeexec / native gRPC probe branching with a single nativegrpc:probe pointed at the relay's dedicated health server on:4222. Works regardless ofhubble.tls.enabled(the health listener is plaintext; only the main API onlistenPortis TLS-wrapped). Mirrors what upstream Cilium's chart adopted after cilium/cilium#37806.values.yaml— bump defaulthubble.relay.imagefrommcr.microsoft.com/oss/cilium/hubble-relay:v1.15.0toquay.io/cilium/hubble-relay:v1.17.15(lowest currently-supported Cilium minor at its latest patch, smallest jump that lands on a maintained line). Refs: v1.17.15 release notes, available tags.Why
With the chart's default
hubble.tls.enabled: true, the probe template selects theexec grpc_health_probebranch. Upstream Cilium removed that binary from the relay image (backported to all supported branches), so any v1.16+ tag fails the startup probe withexecutable file not found in $PATHand the rollout stalls. Reproduced againstv1.17.15.Probing
:4222instead oflistenPort(4245) avoids this without forcing operators to disable TLS or ship a custom relay image — the health server is always plaintext regardless of the main API's TLS state.