Update Cilium application configuration to ignore differences for hubble-server-certs Secret, add Helm value files for better management, and enhance Argo CD kustomization with resource ordering and sync options.

2026-03-27 19:16:31 -04:00
parent 55833b2593
commit ae5bfdf2f7
8 changed files with 294 additions and 49 deletions
--- a/clusters/noble/apps/cilium/application.yaml
+++ b/clusters/noble/apps/cilium/application.yaml
@@ -7,6 +7,15 @@ metadata:
    argocd.argoproj.io/sync-wave: "0"
 spec:
  project: default
+  # Helm TLS material for Hubble is rotated/generated; Argo SSA and CLI helm
+  # upgrades both touch Secret data and cause apply conflicts unless ignored.
+  ignoreDifferences:
+    - group: ""
+      kind: Secret
+      name: hubble-server-certs
+      namespace: kube-system
+      jqPathExpressions:
+        - .data
  destination:
    server: https://kubernetes.default.svc
    namespace: kube-system
@@ -15,39 +24,16 @@ spec:
      chart: cilium
      targetRevision: 1.16.6
      helm:
-        valuesObject:
-          k8sServiceHost: 192.168.50.20
-          k8sServicePort: 6443
-          cgroup:
-            autoMount:
-              enabled: false
-            hostRoot: /sys/fs/cgroup
-          ipam:
-            operator:
-              clusterPoolIPv4PodCIDRList:
-                - 10.244.0.0/16
-          securityContext:
-            capabilities:
-              ciliumAgent:
-                - CHOWN
-                - KILL
-                - NET_ADMIN
-                - NET_RAW
-                - IPC_LOCK
-                - SYS_ADMIN
-                - SYS_RESOURCE
-                - DAC_OVERRIDE
-                - FOWNER
-                - SETGID
-                - SETUID
-              cleanCiliumState:
-                - NET_ADMIN
-                - SYS_ADMIN
-                - SYS_RESOURCE
+        valueFiles:
+          - $values/clusters/noble/apps/cilium/helm-values.yaml
+    - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
+      targetRevision: HEAD
+      ref: values
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
+      - RespectIgnoreDifferences=true

--- a/clusters/noble/apps/cilium/helm-values.yaml
+++ b/clusters/noble/apps/cilium/helm-values.yaml
@@ -0,0 +1,36 @@
+# Same settings as the Argo CD Application (keep in sync).
+# Used for manual `helm install` before Argo when Talos uses cni: none.
+#
+# operator.replicas: chart default is 2 with required pod anti-affinity. If fewer
+# than two nodes can schedule (e.g. NotReady / taints), `helm --wait` never finishes.
+k8sServiceHost: 192.168.50.20
+k8sServicePort: 6443
+cgroup:
+  autoMount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+ipam:
+  operator:
+    clusterPoolIPv4PodCIDRList:
+      - 10.244.0.0/16
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+
+operator:
+  replicas: 1