diff --git a/ansible/roles/noble_cilium/defaults/main.yml b/ansible/roles/noble_cilium/defaults/main.yml new file mode 100644 index 0000000..cbb5bb3 --- /dev/null +++ b/ansible/roles/noble_cilium/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# When true, delete **kube-system/hubble-server-certs** if its **managedFields** show **argocd-controller** +# (recover from Helm SSA conflicts after Argo synced Cilium before Ansible). +noble_cilium_repair_argo_ssa_on_hubble_secret: true diff --git a/ansible/roles/noble_cilium/tasks/main.yml b/ansible/roles/noble_cilium/tasks/main.yml index fec9bcb..5e8fae3 100644 --- a/ansible/roles/noble_cilium/tasks/main.yml +++ b/ansible/roles/noble_cilium/tasks/main.yml @@ -1,4 +1,43 @@ --- +# Argo may have server-side-applied chart-owned Secrets during earlier runs; Helm then fails with +# "conflict with argocd-controller". Drop the Secret only when that manager is present. +- name: Read hubble-server-certs Secret (if any) for SSA repair + ansible.builtin.command: + argv: + - kubectl + - get + - secret + - hubble-server-certs + - -n + - kube-system + - -o + - json + environment: + KUBECONFIG: "{{ noble_kubeconfig }}" + register: noble_cilium_hubble_secret_json + failed_when: false + changed_when: false + when: noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool + +- name: Remove hubble-server-certs when Argo is a field manager (Helm SSA conflict recovery) + ansible.builtin.command: + argv: + - kubectl + - delete + - secret + - hubble-server-certs + - -n + - kube-system + - --wait=false + environment: + KUBECONFIG: "{{ noble_kubeconfig }}" + when: + - noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool + - not (noble_cilium_hubble_secret_json.skipped | default(false)) + - noble_cilium_hubble_secret_json.rc | default(-1) | int == 0 + - '"argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default(""))' + changed_when: true + - name: Install Cilium (required CNI for Talos cni:none) ansible.builtin.command: argv: