Helm job clustermesh-apiserver-generate-certs never created

[FlareSensei]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.18.2 and lower than v1.19.0

What happened?

The job clustermesh-apiserver-generate-certs is never created because of the helm-hooks post-install because the clustermesh-apiserver PODs only get healthy after the certificates are created. Chicken-and-egg problem.

$ cat ./templates/clustermesh-apiserver/tls-cronjob/job.yaml

{{- if and (and .Values.clustermesh.useAPIServer (eq .Values.clustermesh.apiserver.kvstoremesh.kvstoreMode "internal")) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: clustermesh-apiserver-generate-certs
  namespace: {{ include "cilium.namespace" . }}
  labels:
    k8s-app: clustermesh-apiserver-generate-certs
    {{- with .Values.commonLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    app.kubernetes.io/part-of: cilium
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    {{- with .Values.certgen.annotations.job }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.clustermesh.annotations }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
{{ include "clustermesh-apiserver-generate-certs.job.spec" . }}
{{- end }}

Workaround is to manually create the job:

kubectl -n runtime create job --from=cronjob/clustermesh-apiserver-generate-certs clustermesh-apiserver-generate-certs-manual

How can we reproduce the issue?

Create fresh clustermesh with tls.auto.method=cronJob

Cilium Version

Cilium 1.18.2

Kernel Version

[ec2-user@ip-10-1-182-52 ~]$ uname -a
Linux ip-10-1-182-52.eu-central-1.compute.internal 6.1.150-174.273.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Sep 9 12:21:26 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

EKS 1.32

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[MrFreezeex]

Hi 👋,

Thanks for the issue! Are you willing to contribute to the fix? I believe we could add this job (and the resources depending on it like the service account) on pre-install/pre-upgrade instead.

Hubble might be affected as well as it have similar setup (in install/kubernetes/cilium/templates/hubble/tls-cronjob) I am not entirely sure if it has a pod not being ready/created before the cert is created though so maybe it does not. Even if it already works, it could makes sense to still do it there to keep clustermesh and hubble cert generation closer I think it could be part of the same PR and the hubble reviewer assigned to the PR could probably decide if it makes sense for them/have inputs about this.

[MrFreezeex]

Actually it might be even be simpler and better to remove the helm hook annotations there rather than adding it in pre-* hooks as it would make cilium installs faster by not waiting for a hook and more importantly pre-* hooks add a requirement that this cert generation to only be done after a first installation of Cilium has been performed (because the pod in this job can not be ran if there is no CNI installed) which is definitely not ideal

[MrFreezeex]

Ah I didn't know but it's actually documented here for hubble with the same workaround: https://docs.cilium.io/en/latest/observability/hubble/configuration/tls/#troubleshooting. It says there why it cannot run as a pre-* hook (same reason I mentioned in my previous message). Also here is the explanation #23102 (review) of why it run as a hook (so that the job can be automatically recreated when a new job should gets created). There's also this somewhat related issue: #40381.

@FlareSensei Could you clarify what your env look like, are you running ArgoCD or are you running helm with the --wait flag?

[FlareSensei]

@MrFreezeex This is indeed same behavior: #40381. We are running Terraform with helm provider with the wait = true. We do not use ArgoCD.

[MrFreezeex]

Hmmm so unfortunately the solution for Hubble cannot really be applied to clustermesh-apiserver since we rely heavily on the clustermesh-apiserver being ready for ClusterMesh (it needs to be populated with data from remote clusters before being ready and at the same time we need the cert to be able to access those remote clusters).

I think what we could do is to move the helm hook annotation to the value file here

cilium/install/kubernetes/cilium/values.yaml

Line 1193 in 97c2555

job: {}

so that you can override it/remove that annotation in your case. And by doing that you would then accept that the job cannot be recreated differently (a job is immutable in Kubernetes, and you would not be able to change some of the clustermesh setting/probably upgrade Cilium) unless the job has been deleted first manually or with ttlSecondsAfterFinished (set by default to 30h, but you could also set a lower value than that on your end).

[FlareSensei]

@MrFreezeex Moving the hooks to values and therefor enabling removal would most likely solve it for us. The ttlSecondsAfterFinished can be set to a much lower value.

For you information, this workaround in Terraform does it for us at the moment:

resource "null_resource" "clustermesh_apiserver_generate_certs_job" {
  provisioner "local-exec" {
    command = <<-EOT
      aws eks update-kubeconfig --region ${var.account.region} --name eks-${var.account.resource_suffix} && \
        while ! kubectl -n runtime get cronjob clustermesh-apiserver-generate-certs >/dev/null 2>&1; do sleep 1; done && \
        kubectl -n runtime create job --from=cronjob/clustermesh-apiserver-generate-certs clustermesh-apiserver-generate-certs
    EOT
  }
}

[MrFreezeex]

FYI we brainstomed on the other issue here: #40381 with the user that had the same issue as you but for hubble, let's keep the discussion on the other issue and move back here in case Hubble/ClusterMesh end up with different solutions.

Thanks for adding your workaround here though, it might help people in the same situation as you until it is properly fixed :D