`genSignedCert` causes `helm-operator` to do no-op upgrades in a loop

[domq]

What I attempted: install Cilium on OpenShift 4.13.32, according to the instructions

What I expected would happen: the cilium-olm operator would do its thing, and then go sit tight in the background.

What I observed instead: watch helm ls -A shows the REVISION of the cilium Helm chart going up roughly once every 7 seconds.

---

Diffing two subsequent versions of oc -n cilium get secret -o yaml shows that the tls.crt and tls.key entries secret/hubble-server-certs and secret/hubble-relay-client-certs are changed each time, as well as some sequence numbers and Helm's release fields.

Setting hubble.auto.tls.method to certmanager stops the upgrade loop.

[domq]

The key insight for the workaround outlined above was found here.

[davtex]

I am facing the same issue on Openshift 4.14 and Cilium 1.15.1 with cilium-apiserver enabled and default TLS settings. Operator seems to generate new apiserver certificates with each Helm run, which puts it into endless reconciliation loop. I am at Helm iteration 1670 after couple hours + this is making OLM pod consume 1 CPU and generate massive amount of logs with debug enabled + it keeps changing generated secret with each run.