From 4eaee05b88a18addbcb244994f2116b1eff1d85c Mon Sep 17 00:00:00 2001 From: Dominique Quatravaux Date: Thu, 7 Mar 2024 19:40:28 +0100 Subject: [PATCH] [stopgap] Stop silly Cilium OLM no-op-upgrade loop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Works around https://github.com/isovalent/olm-for-cilium/issues/87 using wisdom from https://github.com/operator-framework/operator-sdk/issues/1069#issuecomment-462798953 As it turns out, generating a random certificate in a tight compare-and-reconcile loop (that doesn't back off) is a bad idea, #WHOWOULDHAVETHUNK. - Seting `hubble.tls.auto.method = certmanager` results in an idempotent Helm chart, and therefore breaks the loop. - As stated in the [official documentation](https://docs.cilium.io/en/stable/installation/k8s-install-openshift-okd/) (⌘F for “You can set any custom Helm values”), we can do that out of the `CiliumConfig`'s `spec`; which also explains why the schema thereof (`oc explain CiliumConfig.spec`) is so loosely defined. - Of course, now we need to install cert manager; which is why this is a [stopgap] and not a [fix]. (The only damage is that there will be no Hubble until we install it.) --- templates/cluster-network-07-cilium-ciliumconfig.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/templates/cluster-network-07-cilium-ciliumconfig.yaml b/templates/cluster-network-07-cilium-ciliumconfig.yaml index 42f57bc..783cb38 100644 --- a/templates/cluster-network-07-cilium-ciliumconfig.yaml +++ b/templates/cluster-network-07-cilium-ciliumconfig.yaml @@ -45,3 +45,12 @@ spec: enabled: true ui: enabled: true + tls: + auto: + # The default value (`helm`) runs into a silly + # upgrade-to-not-really-change-anything loop: + method: certmanager + certManagerIssuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: ca-issuer