Skip to content

Commit f54c39e

Browse files
committed
up
1 parent 28bb76e commit f54c39e

2 files changed

Lines changed: 11 additions & 7 deletions

File tree

README.md

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -90,21 +90,19 @@ cilium install \
9090
--set cgroup.hostRoot=/sys/fs/cgroup \
9191
--set k8sServiceHost=localhost \
9292
--set k8sServicePort=7445 \
93+
--set hubble.enabled=false \
94+
--set hubble.relay.enabled=false \
95+
--set hubble.ui.enabled=false \
9396
--set gatewayAPI.enabled=true \
9497
--set gatewayAPI.enableAlpn=true \
9598
--set gatewayAPI.enableAppProtocol=true
9699
```
97100

98101
> **Important — version must match:** The `cilium install` CLI version must match the Helm chart version in `infrastructure/networking/cilium/kustomization.yaml` (currently **1.19.0**). Use `cilium install --version 1.19.0` to pin it. If versions differ, ArgoCD upgrades Cilium at Wave 0 and regenerates some Hubble certs but not others, causing TLS handshake failures (`x509: certificate signed by unknown authority`) that block all sync waves.
99102
>
100-
> **Important — cluster name must match:** `cluster.name` must match `infrastructure/networking/cilium/values.yaml` for Hubble certificate SANs. If `cilium install` is run without `--set cluster.name=talos-prod-cluster`, certificates are generated for `default` or `kind-kind`, causing the same TLS failures.
103+
> **Important — Hubble is disabled at bootstrap on purpose:** The CLI install only provides basic CNI networking. ArgoCD enables Hubble at Wave 0 via the full `values.yaml` (which has `hubble.enabled: true`). This ensures ArgoCD is the sole owner of Hubble TLS certificates — no cert mismatch between CLI install and ArgoCD's Helm render. The `ignoreDifferences` in `cilium-app.yaml` then preserves those certs on subsequent syncs.
101104
>
102-
> **If Hubble Relay is crash-looping after bootstrap**, delete stale certs and restart:
103-
> ```bash
104-
> kubectl delete secret hubble-relay-client-certs hubble-server-certs -n kube-system
105-
> kubectl rollout restart deployment hubble-relay -n kube-system
106-
> kubectl rollout restart ds cilium -n kube-system
107-
> ```
105+
> **Important — cluster name must match:** `cluster.name` must match `infrastructure/networking/cilium/values.yaml` for Hubble certificate SANs. If `cilium install` is run without `--set cluster.name=talos-prod-cluster`, certificates are generated for `default` or `kind-kind`, causing TLS failures.
108106
109107
### Step 2: Install Gateway API CRDs
110108

scripts/bootstrap-argocd.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ if ! cilium status --wait --wait-duration 30s &> /dev/null; then
3939
echo " --set kubeProxyReplacement=true \\"
4040
echo " --set k8sServiceHost=localhost \\"
4141
echo " --set k8sServicePort=7445 \\"
42+
echo " --set hubble.enabled=false \\"
43+
echo " --set hubble.relay.enabled=false \\"
44+
echo " --set hubble.ui.enabled=false \\"
4245
echo " --set gatewayAPI.enabled=true"
4346
echo ""
4447
exit 1
@@ -62,6 +65,9 @@ if [ -n "$RUNNING_VERSION" ] && [ "$RUNNING_VERSION" != "$EXPECTED_CILIUM_VERSIO
6265
echo " --set kubeProxyReplacement=true \\"
6366
echo " --set k8sServiceHost=localhost \\"
6467
echo " --set k8sServicePort=7445 \\"
68+
echo " --set hubble.enabled=false \\"
69+
echo " --set hubble.relay.enabled=false \\"
70+
echo " --set hubble.ui.enabled=false \\"
6571
echo " --set gatewayAPI.enabled=true"
6672
echo ""
6773
read -p " Continue anyway? (y/N) " -n 1 -r

0 commit comments

Comments
 (0)