[feature] Add templating for kubespan and allowSchedulingOnControlPla…

[lb0o]

[feature] Add templating for kubespan and allowSchedulingOnControlPlanes in values.yaml

Summary by CodeRabbit

• New Features

  • Added the ability to enable or disable the Kubespan network feature through configuration settings.
  • Made the cluster discovery feature configurable based on the Kubespan setting.
  • Allow scheduling on control plane nodes to be toggled via configuration.
  • Introduced a new Helm template for dynamic machine configuration in Kubernetes clusters managed by Talos, supporting advanced network, kernel, and cluster settings.

• Refactor

  • Improved template logic to make multiple features configurable through Helm values instead of using fixed defaults.

[coderabbitai]

Walkthrough

The template logic in the Helm chart was updated to conditionally include or configure kubespan, allowSchedulingOnControlPlanes, and cluster.discovery.enabled fields based on corresponding Helm values, instead of using hardcoded defaults. Two new configuration keys were added to the values file. Additionally, a new Helm template talos.config was introduced to generate detailed Talos machine configuration dynamically based on input values and machine type.

Changes

File(s)	Change Summary
charts/cozystack/templates/_helpers.tpl, templates/_helpers.tpl	Updated existing template with conditional logic for kubespan, allowSchedulingOnControlPlanes, and cluster.discovery.enabled. Added new talos.config Helm template for Talos machine configuration.
charts/cozystack/values.yaml	Added new configuration keys: kubespan (default: false) and allowSchedulingOnControlPlanes (default: true).

Poem

In cozy stacks where Helm charts grow,
New logic now begins to flow.
With flags that flip and options true,
Kubespan appears when told to do.
Control planes schedule as you please—
Oh, what a charting bunny breeze! 🐇

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

charts/cozystack/templates/_helpers.tpl (1)

92-92: Good boolean handling, but consider default value protection.

The explicit boolean rendering is correct for Helm templates. However, consider adding a default value or checking for existence to handle undefined values gracefully.

Consider this pattern for safer default handling:

-allowSchedulingOnControlPlanes: {{ if eq .Values.allowSchedulingOnControlPlanes true }}true{{ else }}false{{ end }}
+allowSchedulingOnControlPlanes: {{ if .Values.allowSchedulingOnControlPlanes | default false }}true{{ else }}false{{ end }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 55dd761 and 3e3174a.

📒 Files selected for processing (1)

• charts/cozystack/templates/_helpers.tpl (3 hunks)

🔇 Additional comments (2)

charts/cozystack/templates/_helpers.tpl (2)

59-62: LGTM! Well-structured conditional kubespan configuration.

The conditional logic correctly includes the kubespan section only when explicitly enabled. The explicit boolean comparison and proper YAML indentation are good practices.

---

115-115: Logical coupling between kubespan and discovery is appropriate.

The conditional logic correctly links cluster discovery enablement to kubespan configuration, which makes architectural sense since these features work together.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify values.yaml contains the new configuration options.

The template now references .Values.kubespan and .Values.allowSchedulingOnControlPlanes which must be defined in values.yaml to prevent template rendering errors.

Also applies to: 92-92, 115-115

---

🏁 Script executed:

#!/bin/bash
# Verify that the new Helm values are defined in values.yaml

echo "Checking for kubespan configuration in values.yaml..."
if fd -t f -e yaml values.yaml | xargs grep -l "kubespan" > /dev/null 2>&1; then
    echo "✓ kubespan found in values.yaml"
    fd -t f -e yaml values.yaml | xargs grep -A 2 -B 2 "kubespan"
else
    echo "⚠ kubespan not found in values.yaml"
fi

echo -e "\nChecking for allowSchedulingOnControlPlanes configuration in values.yaml..."
if fd -t f -e yaml values.yaml | xargs grep -l "allowSchedulingOnControlPlanes" > /dev/null 2>&1; then
    echo "✓ allowSchedulingOnControlPlanes found in values.yaml"
    fd -t f -e yaml values.yaml | xargs grep -A 2 -B 2 "allowSchedulingOnControlPlanes"
else
    echo "⚠ allowSchedulingOnControlPlanes not found in values.yaml"
fi

echo -e "\nChecking for any default values that might be missing..."
rg -A 5 -B 5 "kubespan|allowSchedulingOnControlPlanes" --type yaml

Length of output: 1997

---

Add missing default values for kubespan and allowSchedulingOnControlPlanes

The Helm template now references .Values.kubespan and .Values.allowSchedulingOnControlPlanes, but neither key is defined in your values.yaml. This will cause rendering errors when installing or upgrading the chart.

Please update charts/cozystack/values.yaml to include defaults, for example:

# charts/cozystack/values.yaml

# Enable Kubespan integration
kubespan: false

# Allow pods to be scheduled on control-plane nodes
allowSchedulingOnControlPlanes: false

• Location of references in the template:

• lines 59–62 (.Values.kubespan)
• line 92 (.Values.allowSchedulingOnControlPlanes)
• line 115 (.Values.allowSchedulingOnControlPlanes)

🤖 Prompt for AI Agents

In charts/cozystack/values.yaml, add default values for the keys `kubespan` and
`allowSchedulingOnControlPlanes` to prevent rendering errors. Set `kubespan` to
false and `allowSchedulingOnControlPlanes` to false as default booleans. This
ensures the Helm chart templates referencing these values at lines 59-62, 92,
and 115 in charts/cozystack/templates/_helpers.tpl will have defined defaults
during installation or upgrade.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

charts/cozystack/values.yaml (1)

13-14: Add inline documentation for new values

All other top-level keys in this file are preceded by a comment that explains their purpose (e.g., endpoint, clusterDomain, etc.). Adding a short comment for the newly introduced kubespan and allowSchedulingOnControlPlanes flags will help users discover and correctly configure these features directly from values.yaml, without having to open templates or PR discussion.

-# Enable Talos' encrypted mesh networking between nodes
+kubespan: false  # Enable Talos' encrypted mesh networking between nodes
-# Allow user workloads to be scheduled on control-plane nodes
+allowSchedulingOnControlPlanes: true  # Allow user workloads to be scheduled on control-plane nodes

(Slight wording tweak is optional—main goal is to add any explanatory comment lines.)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e3174a and b0bab6a.

📒 Files selected for processing (1)

• charts/cozystack/values.yaml (1 hunks)

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (1)

templates/_helpers.tpl (1)

1-121: Add input validation for required values.

Consider adding validation for required values to provide better error messages during template rendering.

Add validation at the beginning of the template:

 {{- define "talos.config" }}
+{{- if not .Values.advertisedSubnets -}}
+  {{- fail "advertisedSubnets is required in values" -}}
+{{- end -}}
+{{- if not .Values.endpoint -}}
+  {{- fail "endpoint is required in values" -}}
+{{- end -}}
 machine:

🧹 Nitpick comments (1)

templates/_helpers.tpl (1)

20-30: Consider making kernel modules configurable.

The hardcoded list of kernel modules might not be necessary for all deployments. Consider making this list configurable to reduce attack surface and boot time.

   kernel:
+    {{- with .Values.kernelModules }}
     modules:
+    {{- toYaml . | nindent 4 }}
+    {{- else }}
     - name: openvswitch
     - name: drbd
       parameters:
         - usermode_helper=disabled
     - name: zfs
     - name: spl
     - name: vfio_pci
     - name: vfio_iommu_type1
+    {{- end }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0bab6a and 867dccf.

📒 Files selected for processing (1)

• templates/_helpers.tpl (1 hunks)

🔇 Additional comments (4)

templates/_helpers.tpl (4)

1-7: LGTM!

The conditional removal of the exclude-from-external-load-balancers label for control plane nodes is appropriate and follows Talos configuration patterns.

---

8-15: LGTM!

The kubelet configuration with static CPU manager policy and increased pod limit is appropriate for production workloads.

---

41-48: LGTM!

The containerd configuration properly sets device ownership from security context for both plugin paths, ensuring compatibility across different containerd versions.

---

112-113: Verify proxy replacement strategy.

The kube-proxy is disabled, which requires an alternative solution for service networking. Ensure that the CNI or another component will handle service proxy functionality.

Since CNI is set to "none" (line 82), please verify that the cluster will have a working service proxy solution installed post-deployment.

[coderabbitai]

🛠️ Refactor suggestion

Simplify boolean value assignment.

The conditional boolean conversion is redundant.

-  allowSchedulingOnControlPlanes: {{ if eq .Values.allowSchedulingOnControlPlanes true }}true{{ else }}false{{ end }}
+  allowSchedulingOnControlPlanes: {{ .Values.allowSchedulingOnControlPlanes }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	allowSchedulingOnControlPlanes: {{ if eq .Values.allowSchedulingOnControlPlanes true }}true{{ else }}false{{ end }}
	allowSchedulingOnControlPlanes: {{ .Values.allowSchedulingOnControlPlanes }}

🤖 Prompt for AI Agents

In templates/_helpers.tpl at line 92, the boolean assignment uses a redundant
conditional expression. Simplify it by directly assigning the boolean value from
.Values.allowSchedulingOnControlPlanes without using an if-else statement.

[coderabbitai]

⚠️ Potential issue

Fix boolean comparison for kubespan.

The boolean comparison should be direct without using the eq function.

-    {{- if eq .Values.kubespan true }}
+    {{- if .Values.kubespan }}
     kubespan:
       enabled: true
     {{- end }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- if eq .Values.kubespan true }}
	kubespan:
	enabled: true
	{{- end }}
	{{- if .Values.kubespan }}
	kubespan:
	enabled: true
	{{- end }}

🤖 Prompt for AI Agents

In templates/_helpers.tpl around lines 59 to 62, the boolean comparison for
.Values.kubespan is done using the eq function, which is unnecessary. Replace
the condition to directly check the boolean value by using {{- if
.Values.kubespan }} instead of {{- if eq .Values.kubespan true }} to simplify
and correct the boolean check.

[coderabbitai]

⚠️ Potential issue

Fix boolean comparison and simplify assignment.

The boolean comparison and conversion are incorrect and redundant.

-    enabled: {{ if eq .Values.kubespan true }}true{{ else }}false{{ end }}
+    enabled: {{ .Values.kubespan }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	enabled: {{ if eq .Values.kubespan true }}true{{ else }}false{{ end }}
	enabled: {{ .Values.kubespan }}

🤖 Prompt for AI Agents

In templates/_helpers.tpl at line 115, the boolean comparison using eq
.Values.kubespan true is redundant and incorrect. Replace the entire expression
with a direct boolean evaluation of .Values.kubespan to assign enabled, removing
the if-else and eq comparison for a simpler and correct boolean assignment.

[coderabbitai]

🛠️ Refactor suggestion

Make registry mirrors configurable.

The hardcoded mirror endpoint https://mirror.gcr.io might not be accessible in all environments. Consider making this configurable through values.

   registries:
     mirrors:
+      {{- with .Values.registryMirrors }}
+      {{- toYaml . | nindent 6 }}
+      {{- else }}
       docker.io:
         endpoints:
         - https://mirror.gcr.io
+      {{- end }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	registries:
	mirrors:
	docker.io:
	endpoints:
	- https://mirror.gcr.io
	files:
	registries:
	mirrors:
	{{- with .Values.registryMirrors }}
	{{- toYaml . | nindent 6 }}
	{{- else }}
	docker.io:
	endpoints:
	- https://mirror.gcr.io
	{{- end }}
	files:

🤖 Prompt for AI Agents

In templates/_helpers.tpl around lines 35 to 40, the mirror endpoint for
docker.io is hardcoded as https://mirror.gcr.io, which limits flexibility.
Modify the template to accept the mirror endpoint as a configurable value passed
through the values file, and use that value instead of the hardcoded URL. Ensure
to provide a default value or handle the case when no mirror is specified.