68 lines
2.2 KiB
YAML
68 lines
2.2 KiB
YAML
---
|
|
# Argo may have server-side-applied chart-owned Secrets during earlier runs; Helm then fails with
|
|
# "conflict with argocd-controller". **kubectl** omits **managedFields** unless **--show-managed-fields=true**.
|
|
# We delete the Secret only when **argocd-controller** appears there (or set **noble_cilium_delete_hubble_server_certs_if_present**).
|
|
- name: Read hubble-server-certs Secret (if any) for SSA repair
|
|
ansible.builtin.command:
|
|
argv:
|
|
- kubectl
|
|
- get
|
|
- secret
|
|
- hubble-server-certs
|
|
- -n
|
|
- kube-system
|
|
- --show-managed-fields=true
|
|
- -o
|
|
- json
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
register: noble_cilium_hubble_secret_json
|
|
failed_when: false
|
|
changed_when: false
|
|
when: noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool
|
|
|
|
- name: Remove hubble-server-certs when Argo is a field manager (Helm SSA conflict recovery)
|
|
ansible.builtin.command:
|
|
argv:
|
|
- kubectl
|
|
- delete
|
|
- secret
|
|
- hubble-server-certs
|
|
- -n
|
|
- kube-system
|
|
- --wait=false
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
when:
|
|
- noble_cilium_repair_argo_ssa_on_hubble_secret | default(true) | bool
|
|
- not (noble_cilium_hubble_secret_json.skipped | default(false))
|
|
- noble_cilium_hubble_secret_json.rc | default(-1) | int == 0
|
|
- (noble_cilium_delete_hubble_server_certs_if_present | default(false) | bool) or ("argocd-controller" in (noble_cilium_hubble_secret_json.stdout | default("")))
|
|
changed_when: true
|
|
|
|
- name: Install Cilium (required CNI for Talos cni:none)
|
|
ansible.builtin.command:
|
|
argv:
|
|
- helm
|
|
- upgrade
|
|
- --install
|
|
- cilium
|
|
- cilium/cilium
|
|
- --namespace
|
|
- kube-system
|
|
- --version
|
|
- "1.19.4"
|
|
- -f
|
|
- "{{ noble_repo_root }}/clusters/noble/bootstrap/cilium/values.yaml"
|
|
- --force-conflicts
|
|
- --wait
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
changed_when: true
|
|
|
|
- name: Wait for Cilium DaemonSet
|
|
ansible.builtin.command: kubectl -n kube-system rollout status ds/cilium --timeout=300s
|
|
environment:
|
|
KUBECONFIG: "{{ noble_kubeconfig }}"
|
|
changed_when: false
|