github.com/cilium/cilium@v1.16.2/Documentation/configuration/argocd-issues.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _argocd_issues: 8 9 ******************************************** 10 Troubleshooting Cilium deployed with Argo CD 11 ******************************************** 12 13 There have been reports from users hitting issues with Argo CD. This documentation 14 page outlines some of the known issues and their solutions. 15 16 Argo CD deletes CustomResourceDefinitions 17 ========================================= 18 19 When deploying Cilium with Argo CD, some users have reported that Cilium-generated custom resources disappear, 20 causing one or more of the following issues: 21 22 - ``ciliumid`` not found (:gh-issue:`17614`) 23 - Argo CD Out-of-sync issues for hubble-generate-certs (:gh-issue:`14550`) 24 - Out-of-sync issues for Cilium using Argo CD (:gh-issue:`18298`) 25 26 Solution 27 -------- 28 29 To prevent these issues, declare resource exclusions in the Argo CD ``ConfigMap`` by following `these instructions <https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#resource-exclusioninclusion>`__. 30 31 Here is an example snippet: 32 33 .. code-block:: yaml 34 35 resource.exclusions: | 36 - apiGroups: 37 - cilium.io 38 kinds: 39 - CiliumIdentity 40 clusters: 41 - "*" 42 43 44 Also, it has been reported that the problem may affect all workloads you deploy with Argo CD in a cluster running Cilium, not just Cilium itself. 45 If so, you will need the following exclusions in your Argo CD application definition to avoid getting “out of sync” when Hubble rotates its certificates. 46 47 .. code-block:: yaml 48 49 ignoreDifferences: 50 - group: "" 51 kind: ConfigMap 52 name: hubble-ca-cert 53 jsonPointers: 54 - /data/ca.crt 55 - group: "" 56 kind: Secret 57 name: hubble-relay-client-certs 58 jsonPointers: 59 - /data/ca.crt 60 - /data/tls.crt 61 - /data/tls.key 62 - group: "" 63 kind: Secret 64 name: hubble-server-certs 65 jsonPointers: 66 - /data/ca.crt 67 - /data/tls.crt 68 - /data/tls.key 69 70 71 .. note:: 72 After applying the above configurations, for the settings to take effect, you will need to restart the Argo CD deployments. 73 74 Helm template with serviceMonitor enabled fails 75 =============================================== 76 77 Some users have reported that when they install Cilium using Argo CD and run ``helm template`` with ``serviceMonitor`` enabled, it fails. 78 It fails because Argo CD CLI doesn't pass the ``--api-versions`` flag to Helm upon deployment. 79 80 Solution 81 -------- 82 83 This `pull request <https://github.com/argoproj/argo-cd/pull/8371>`__ fixed this issue in Argo CD's `v2.3.0 release <https://github.com/argoproj/argo-cd/releases/tag/v2.3.0>`__. 84 Upgrade your Argo CD and check if ``helm template`` with ``serviceMonitor`` enabled still fails. 85 86 .. note:: 87 88 When using ``helm template``, it is highly recommended you set 89 ``--kube-version`` and ``--api-versions`` with the values matching your 90 target Kubernetes cluster. Helm charts such as Cilium's often conditionally 91 enable certain Kubernetes features based on their availability (beta vs 92 stable) on the target cluster. 93 94 By specifying ``--api-versions=monitoring.coreos.com/v1`` you should be 95 able to pass validation with ``helm template``. 96 97 If you have an issue with Argo CD that's not outlined above, check this `list 98 of Argo CD related issues on GitHub 99 <https://github.com/cilium/cilium/issues?q=is%3Aissue+argocd>`__. 100 If you can't find an issue that relates to yours, create one and/or seek help 101 on `Cilium Slack`_.