fix: mount Hubble TLS volume in Cilium configuration make it optional to prevent pod startup issues when no TLS secret is provided (#3803)

kubermatic-bot · tobstone · web-flow · commit 4f1e21d21f7b · 2025-08-31T21:47:19.000+02:00
closes #3794 Signed-off-by: tobstone <tobias@stonehope.de> Co-authored-by: tobstone <tobias@stonehope.de>
diff --git a/addons/cni-cilium/Kustomization b/addons/cni-cilium/Kustomization
@@ -3,12 +3,12 @@ kind: Kustomization
 namespace: kube-system
 
 helmCharts:
-- name: cilium
-  repo: https://helm.cilium.io/
-  version: 1.17.3
-  releaseName: cilium
-  namespace: kube-system
-  valuesFile: helm-values
+  - name: cilium
+    repo: https://helm.cilium.io/
+    version: 1.17.3
+    releaseName: cilium
+    namespace: kube-system
+    valuesFile: helm-values
 
 patches:
   - patch: |-
@@ -55,6 +55,10 @@ patches:
                         name: cilium-config
                         key: KUBERNETES_SERVICE_PORT
                         optional: true
+                volumeMounts:
+                  - name: hubble-tls
+                    mountPath: /var/lib/cilium/tls/hubble
+                    readOnly: true
             initContainers:
               - name: config
                 image: '{{ .InternalImages.Get "Cilium" }}'
@@ -94,6 +98,21 @@ patches:
                         optional: true
               - name: install-cni-binaries
                 image: '{{ .InternalImages.Get "Cilium" }}'
+            volumes:
+              - name: hubble-tls
+                projected:
+                  defaultMode: 256
+                  sources:
+                  - secret:
+                      name: hubble-server-certs
+                      optional: true
+                      items:
+                      - key: tls.crt
+                        path: server.crt
+                      - key: tls.key
+                        path: server.key
+                      - key: ca.crt
+                        path: client-ca.crt
   - patch: |-
       apiVersion: apps/v1
       kind: Deployment
diff --git a/addons/cni-cilium/cilium.yaml b/addons/cni-cilium/cilium.yaml
@@ -1198,6 +1198,9 @@ spec:
             successThreshold: 1
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
+            - mountPath: /var/lib/cilium/tls/hubble
+              name: hubble-tls
+              readOnly: true
             - mountPath: /var/run/cilium/envoy/sockets
               name: envoy-sockets
               readOnly: false
@@ -1429,6 +1432,20 @@ spec:
       tolerations:
         - operator: Exists
       volumes:
+        - name: hubble-tls
+          projected:
+            defaultMode: 256
+            sources:
+              - secret:
+                  items:
+                    - key: tls.crt
+                      path: server.crt
+                    - key: tls.key
+                      path: server.key
+                    - key: ca.crt
+                      path: client-ca.crt
+                  name: hubble-server-certs
+                  optional: true
         - emptyDir: {}
           name: tmp
         - hostPath:
