You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+5-7Lines changed: 5 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -90,21 +90,19 @@ cilium install \
90
90
--set cgroup.hostRoot=/sys/fs/cgroup \
91
91
--set k8sServiceHost=localhost \
92
92
--set k8sServicePort=7445 \
93
+
--set hubble.enabled=false \
94
+
--set hubble.relay.enabled=false \
95
+
--set hubble.ui.enabled=false \
93
96
--set gatewayAPI.enabled=true \
94
97
--set gatewayAPI.enableAlpn=true \
95
98
--set gatewayAPI.enableAppProtocol=true
96
99
```
97
100
98
101
> **Important — version must match:** The `cilium install` CLI version must match the Helm chart version in `infrastructure/networking/cilium/kustomization.yaml` (currently **1.19.0**). Use `cilium install --version 1.19.0` to pin it. If versions differ, ArgoCD upgrades Cilium at Wave 0 and regenerates some Hubble certs but not others, causing TLS handshake failures (`x509: certificate signed by unknown authority`) that block all sync waves.
99
102
>
100
-
> **Important — cluster name must match:**`cluster.name` must match `infrastructure/networking/cilium/values.yaml`for Hubble certificate SANs. If `cilium install` is run without `--set cluster.name=talos-prod-cluster`, certificates are generated for `default` or `kind-kind`, causing the same TLS failures.
103
+
> **Important — Hubble is disabled at bootstrap on purpose:**The CLI install only provides basic CNI networking. ArgoCD enables Hubble at Wave 0 via the full `values.yaml`(which has `hubble.enabled: true`). This ensures ArgoCD is the sole owner of Hubble TLS certificates — no cert mismatch between CLI install and ArgoCD's Helm render. The `ignoreDifferences` in `cilium-app.yaml` then preserves those certs on subsequent syncs.
101
104
>
102
-
> **If Hubble Relay is crash-looping after bootstrap**, delete stale certs and restart:
> **Important — cluster name must match:**`cluster.name` must match `infrastructure/networking/cilium/values.yaml` for Hubble certificate SANs. If `cilium install` is run without `--set cluster.name=talos-prod-cluster`, certificates are generated for `default` or `kind-kind`, causing TLS failures.
0 commit comments