From 66ea39f091384927119e098ea5acfbb8dea118f3 Mon Sep 17 00:00:00 2001 From: hatiyildiz Date: Fri, 1 May 2026 21:38:16 +0200 Subject: [PATCH] fix(infra): set envoyConfig.enabled=true so cilium-operator registers envoyconfig CRDs (Phase-8a bug #15) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase-8a-preflight live deployment 1bfc46347564467b confirmed cilium-agent crash-loops forever waiting for envoyconfig CRDs that the operator never registers: Still waiting for Cilium Operator to register the following CRDs: [crd:ciliumclusterwideenvoyconfigs.cilium.io crd:ciliumenvoyconfigs.cilium.io] Root cause: upstream Cilium 1.16 chart has TWO separate envoy toggles: - cilium.envoy.enabled — runs Envoy as a separate DaemonSet (was set) - cilium.envoyConfig.enabled — registers CRDs + agent/operator controllers for CiliumEnvoyConfig (was NOT set) The chart values.yaml only sets envoy.enabled=true. Operator finishes CRD registration with 11 of 13 CRDs, missing the two envoy ones, and cilium-agent's node taint never lifts. All 37 dependent HelmReleases block forever on the dependsOn chain. Fix in HR values (no chart rebuild needed; lands via Flux on next sovereign provision directly). --- clusters/_template/bootstrap-kit/01-cilium.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/clusters/_template/bootstrap-kit/01-cilium.yaml b/clusters/_template/bootstrap-kit/01-cilium.yaml index cc339c3a..02e54984 100644 --- a/clusters/_template/bootstrap-kit/01-cilium.yaml +++ b/clusters/_template/bootstrap-kit/01-cilium.yaml @@ -55,10 +55,17 @@ spec: retries: 3 values: cilium: - # Enable L7 proxy so Cilium's chart installs the - # ciliumenvoyconfigs / ciliumclusterwideenvoyconfigs CRDs that the - # cilium-agent waits for at startup. Without this, agent crash-loops - # forever and the node.cilium.io/agent-not-ready taint never lifts. + # Phase-8a bug #15 (otech8 deployment 1bfc46347564467b 2026-05-01): + # cilium-agent waits forever for the operator to register + # ciliumenvoyconfigs + ciliumclusterwideenvoyconfigs CRDs. + # Setting `envoy.enabled: true` (chart-level) runs Envoy as a separate + # daemonset but does NOT register those CRDs — that requires + # `envoyConfig.enabled: true`, a separate upstream chart toggle. + # Without it, the agent's node taint `node.cilium.io/agent-not-ready` + # never lifts and every other HelmRelease (37 of them) blocks on its + # dependsOn chain. + envoyConfig: + enabled: true l7Proxy: true prometheus: enabled: false