fix(infra): set envoyConfig.enabled=true so cilium-operator registers envoyconfig CRDs (Phase-8a bug #15)

Phase-8a-preflight live deployment 1bfc46347564467b confirmed cilium-agent crash-loops forever waiting for envoyconfig CRDs that the operator never registers: Still waiting for Cilium Operator to register the following CRDs: [crd:ciliumclusterwideenvoyconfigs.cilium.io crd:ciliumenvoyconfigs.cilium.io] Root cause: upstream Cilium 1.16 chart has TWO separate envoy toggles: - cilium.envoy.enabled — runs Envoy as a separate DaemonSet (was set) - cilium.envoyConfig.enabled — registers CRDs + agent/operator controllers for CiliumEnvoyConfig (was NOT set) The chart values.yaml only sets envoy.enabled=true. Operator finishes CRD registration with 11 of 13 CRDs, missing the two envoy ones, and cilium-agent's node taint never lifts. All 37 dependent HelmReleases block forever on the dependsOn chain. Fix in HR values (no chart rebuild needed; lands via Flux on next sovereign provision directly).
2026-05-01 21:38:16 +02:00 · 2026-05-01 21:38:16 +02:00 · 66ea39f091
commit 66ea39f091
parent 0765e89ac6
1 changed files with 11 additions and 4 deletions
--- a/clusters/_template/bootstrap-kit/01-cilium.yaml
+++ b/clusters/_template/bootstrap-kit/01-cilium.yaml
@ -55,10 +55,17 @@ spec:
      retries: 3
  values:
    cilium:
-      # Enable L7 proxy so Cilium's chart installs the
-      # ciliumenvoyconfigs / ciliumclusterwideenvoyconfigs CRDs that the
-      # cilium-agent waits for at startup. Without this, agent crash-loops
-      # forever and the node.cilium.io/agent-not-ready taint never lifts.
+      # Phase-8a bug #15 (otech8 deployment 1bfc46347564467b 2026-05-01):
+      # cilium-agent waits forever for the operator to register
+      # ciliumenvoyconfigs + ciliumclusterwideenvoyconfigs CRDs.
+      # Setting `envoy.enabled: true` (chart-level) runs Envoy as a separate
+      # daemonset but does NOT register those CRDs — that requires
+      # `envoyConfig.enabled: true`, a separate upstream chart toggle.
+      # Without it, the agent's node taint `node.cilium.io/agent-not-ready`
+      # never lifts and every other HelmRelease (37 of them) blocks on its
+      # dependsOn chain.
+      envoyConfig:
+        enabled: true
      l7Proxy: true
      prometheus:
        enabled: false