--- # Argo may have server-side-applied chart-owned Secrets during earlier runs; Helm then fails with # "conflict with argocd-controller". **kubectl** omits **managedFields** unless **--show-managed-fields=true**. # We delete the Secret only when **argocd-controller** appears there (or set **noble_cilium_delete_hubble_server_certs_if_present**). - name: Read hubble-server-certs Secret (if any) for SSA repair ansible.builtin.command: argv: - kubectl - get - secret - hubble-server-certs - -n - kube-system - --show-managed-fields=true - -o - json environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_cilium_hubble_secret_json failed_when: false changed_when: false when: noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool - name: Remove hubble-server-certs when Argo is a field manager (Helm SSA conflict recovery) ansible.builtin.command: argv: - kubectl - delete - secret - hubble-server-certs - -n - kube-system - --wait=false environment: KUBECONFIG: "{{ noble_kubeconfig }}" when: - noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool - not (noble_cilium_hubble_secret_json.skipped | default(false)) - noble_cilium_hubble_secret_json.rc | default(-1) | int == 0 - (noble_cilium_delete_hubble_server_certs_if_present | default(false) | bool) or ("argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default(""))) changed_when: true - name: Install Cilium (required CNI for Talos cni:none) ansible.builtin.command: argv: - helm - upgrade - --install - cilium - cilium/cilium - --namespace - kube-system - --version - "1.19.4" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/cilium/values.yaml" - --force-conflicts - --wait environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Wait for Cilium DaemonSet ansible.builtin.command: kubectl -n kube-system rollout status ds/cilium --timeout=300s environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: false