[stopgap] Stop silly Cilium OLM no-op-upgrade loop

Works around isovalent/olm-for-cilium#87 using wisdom from operator-framework/operator-sdk#1069 (comment) As it turns out, generating a random certificate in a tight compare-and-reconcile loop (that doesn't back off) is a bad idea, #WHOWOULDHAVETHUNK. - Seting `hubble.tls.auto.method = certmanager` results in an idempotent Helm chart, and therefore breaks the loop. - As stated in the [official documentation](https://docs.cilium.io/en/stable/installation/k8s-install-openshift-okd/) (⌘F for “You can set any custom Helm values”), we can do that out of the `CiliumConfig`'s `spec`; which also explains why the schema thereof (`oc explain CiliumConfig.spec`) is so loosely defined. - Of course, now we need to install cert manager; which is why this is a [stopgap] and not a [fix]. (The only damage is that there will be no Hubble until we install it.)
epfl-si · Mar 20, 2024 · 4eaee05 · 4eaee05
1 parent bb58719
commit 4eaee05
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/templates/cluster-network-07-cilium-ciliumconfig.yaml b/templates/cluster-network-07-cilium-ciliumconfig.yaml
@@ -45,3 +45,12 @@ spec:
       enabled: true
     ui:
       enabled: true
+    tls:
+      auto:
+        # The default value (`helm`) runs into a silly
+        # upgrade-to-not-really-change-anything loop:
+        method: certmanager
+        certManagerIssuerRef:
+          group: cert-manager.io
+          kind: ClusterIssuer
+          name: ca-issuer