Helm hubble-generate-cert job blocks install with `--wait` due to post-install scheduling

[pdf]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.17.5 and lower than v1.18.0

What happened?

Attempting to install cilium via helm with hubble.tls.auto.method = cronJob with --wait hangs until timeout as hubble pods cannot reach ready state.

Being able to rely on --wait is important for automation, as it's the primary mechanism for determining that resources are correctly deployed and ready in the cluster before attempting to load dependent resources.

The issue is that the hubble-relay pod relies on the certificates that would be generated by the hubble-generate-cert job, but that job is annotated with "helm.sh/hook": post-install, post-upgrade which per the helm lifecycle docs means that it will not be deployed until all reasources reach ready-state when using --wait, and this creates a dependency deadlock.

I assume the same is true for both hubble and clustermesh, since they use the same mechanism, though I've only tested with hubble at this stage.

cilium/install/kubernetes/cilium/templates/hubble/tls-cronjob/job.yaml

Line 16 in 1facc6a

"helm.sh/hook": post-install,post-upgrade

cilium/install/kubernetes/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml

Line 15 in 1facc6a

"helm.sh/hook": post-install,post-upgrade

How can we reproduce the issue?

1. Set helm values:
   hubble.enabled=true
   hubble.tls.enabled=true
   hubble.tls.auto.enabled=true
   hubble.tls.auto.method="cronJob"
2. Install cilium via helm with --wait (or use terraform/pulumi/flux/etc, which all rely on wait behaviour)

Cilium Version

v1.17.5

Kernel Version

6.15.4

Kubernetes Version

v1.33.2

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[kaworu]

Thanks for the report @pdf, I'll take a closer look.

[kaworu]

Discussing with @devodev the first think to do is try with an optional projection of the tls secrets in Hubble Relay, use Future for certloader and wait (as it is done in Hubble server), and launch the health server before we see the TLS material so that the k8s probes will succeed (although Relay will return NOT SERVING as long as it has not picked up the certificates).

[MrFreezeex]

👋, we have a slightly different context in ClusterMesh so AFAIK we unfortunately can't really do the same thing as Hubble (make the clustermesh-apiserver pod ready without the cert being generated). But I think that this: #42045 (comment) could work fairly well for both Hubble and ClusterMesh.

What your thought on this for Hubble? Do you prefer to continue with the current proposed solution of making the ready probe succeed without the cert (which would not require the job to be deleted first)? If yes but we still do this for ClusterMesh should we allow deleting the helm hook annotation only for the ClusterMesh job and not Hubble ones?

[pdf]

Is there perhaps some alternative approach not yet considered for both resources?

Perhaps an init container might be used to check if a cert exists and create a job to generate one if not? This should avoid the Helm lifecylce issues by taking the initial cert generation out of the direct Helm resource view, but still allow managing the cronJob resource through the chart via hooks.

I don't love the idea of requiring cluster admins to manually mangle/delete resources in order for config/version updates to function correctly as proposed in #42045 (comment) and I suspect that the idea of allowing users to drop the hook annotations will just result in the same problems the hook was attempting to solve - dirty resources being recreated when reconciling the helm release in CD tooling.

[MrFreezeex]

I don't love the idea of requiring cluster admins to manually mangle/delete resources in order for config/version updates to function

Well I think that in most case it would most likely get deleted with ttlSecondsAfterFinished and as said in the other thread you could also reduce this/if we were to do this we would recommend to also reduce this. As it is non default I would personally think that it is a good trade-off, but not a perfect/ideal one indeed though.

and I suspect that the idea of allowing users to drop the hook annotations will just result in the same problems the hook was attempting to solve - dirty resources being recreated when reconciling the helm release in CD tooling.

Hmm indeed ArgoCD would show a diff if the job resource gets deleted by the TTL since it would want to re-create it :/. Which makes this not that great :/.

Is there perhaps some alternative approach not yet considered for both resources?

Perhaps an init container might be used to check if a cert exists and create a job to generate one if not? This should avoid the Helm lifecylce issues by taking the initial cert generation out of the direct Helm resource view, but still allow managing the cronJob resource through the chart via hooks.

Hmm interesting, I think the main blocker for that would be to allow running certgen concurrently and probably have some condition to not renew the cert if it was recently regen? I haven't dig too much on this code but that might be doable 🤔?

[pdf]

I think the main blocker for that would be to allow running certgen concurrently and probably have some condition to not renew the cert if it was recently regen?

My thinking is that the init container would be attached to the resource that requires the cert, so this would run before that resource is brought up, and that the cert would only be generated if there is no existing cert, with renewals expected to be handled by the cronJob.

Since init containers are only started during rollout I don't think they're suitable for general renewal duties, since renewals will need to happen on an independent schedule, but I think they can probably solve this chicken-egg problem during initial deployment.