feat: fix dependency chain gaps in Cilium and ClusterProfile#46
Merged
patrick-hermann-sva merged 9 commits intomainfrom Mar 31, 2026
Merged
feat: fix dependency chain gaps in Cilium and ClusterProfile#46patrick-hermann-sva merged 9 commits intomainfrom
patrick-hermann-sva merged 9 commits intomainfrom
Conversation
Move hardcoded Vault CA bundle, address, PKI role, and policy name from the cluster-profile composition into a cluster-profile-defaults EnvironmentConfig. The composition now uses function-environment-configs to load defaults with a three-tier precedence chain: spec.vaultBaseSetup.* > EnvironmentConfig > hardcoded fallback. VaultBaseSetup and TrustManager are now auto-enabled for all non-kind clusters when the EnvironmentConfig provides a vault.caBundle. Also updates README with: - RemoteCluster prerequisite example - Minimal k3s ClusterProfile example - EnvironmentConfig documentation and precedence table - Updated install instructions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The wildcard cert defaulted to vault-pki issuer when VaultBaseSetup was enabled, but VaultBaseSetup was gated on certManagerReady — creating a circular dependency. Now the wildcard cert uses cluster-ca (self-signed) initially, and only switches to vault-pki once VaultBaseSetup is actually ready. This allows cert-manager to become ready first, unblocking the rest of the pipeline. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cilium is now deployed in two phases: - Phase 1 (stage 1): Helm install with only CNI config, gated on observeReady. This ensures pods can start before cert-manager, VaultBaseSetup, etc. are deployed. - Phase 2 (stage 5): LB pool + Gateway are enabled on the same XCilium once IP reservation and VaultBaseSetup are ready. Flux is now gated on ciliumInstallReady (CNI working) instead of full ciliumReady (which includes Gateway), so GitOps starts earlier. This fixes the deadlock where Cilium was gated behind cert-manager but cert-manager pods couldn't start without a CNI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ates - deployCilium boolean: defaults to true from EnvironmentConfig, can be disabled per-claim (cilium.enabled: false) or per-environment for clusters that already have a CNI - Cilium LB: enabled independently when IP reservation is satisfied - Cilium Gateway: enabled independently when VaultBaseSetup is ready - Three-phase Cilium: install (stage 1) → LB (stage 5a) → Gateway (stage 5b) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…able - Wrap secondary sections (kind pipeline, feature matrix, sub-compositions, prerequisites, status fields, examples) in <details> for readability - Add Cilium Helm values per distribution table - Add feature auto-enablement per distribution table - Add skip-Cilium claim example with EnvironmentConfig override Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Read nodeCount from RemoteCluster status and use min(desired, nodeCount) for Cilium operator replicas. This prevents scheduling 2 replicas on a single-node cluster where they'd be pointless. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When gatewayAPI.enabled is true, the composition now: - Installs Gateway API CRDs via the upstream gateway-api Helm chart - Creates the cilium GatewayClass as a composed Object - GatewayClass depends on Cilium Helm release via Usage This eliminates the need to manually install Gateway API CRDs on each target cluster before the Cilium Gateway can be created. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ions XCilium: add gateway-api CRD → GatewayClass and GatewayClass → Gateway Usage resources to prevent race conditions during apply and teardown. ClusterProfile: add FluxInit → Cilium Usage for deletion ordering, gate Gateway on TrustManager readiness (CA bundle propagation), and add clarifying comments for cert-manager reconcile lag, VBS/TM parallelism, and XCilium two-phase spec mutation. Also fix functions.yaml (add function-environment-configs), update README render commands with --extra-resources flag, and add yq filter examples. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gateway-apiCRD → GatewayClass and GatewayClass → Gateway Usage resources to prevent race conditions during apply and teardown_vbsReady and _tmReady), add clarifying comments for cert-manager reconcile lag, VBS/TM parallelism, and XCilium two-phase spec mutation--extra-resourcesflag, add k3s example andyqfilter examplesfunction-environment-configsdeclarationDependency chain (after fix)
Test plan
crossplane renderpasses for cilium compositioncrossplane renderpasses for cluster-profile composition (kind + k3s examples)🤖 Generated with Claude Code