hubble: fix enable/disable command when cilium-cli-helm-values does…
#1020
Conversation
There was a problem hiding this comment.
LGTM! i'd like to get this reviewed by @gandro as well he's been looking into this area.
There was a problem hiding this comment.
Thanks for the PR!
This PR falls back to using default configuration for the Cilium ConfigMap. That in turn will lead to unexpected results unfortunately: I tried this PR and it reset the whole Cilium configuration (e.g. disabling all custom features I enabled during install), which I don't think is what most users want. For example, I installed Cilium with PortMap chaining enabled (cni.chainingMode=portmap in Helm), and this was removed after I invoked cilium hubble enable.
The only way to support cilium hubble enable|disable against an unknown installation is that we ensure we do not replace any existing objects (such as the Cilium ConfigMap and DaemonSet), and instead only patch them to add whatever we need for Hubble. That requires a bit more work, but should be doable in practice.
|
@gandro thanks for testing and for your input. I am keen to have a deeper look into this, unless someone else can provide a faster resolution. |
|
@olga-mir Thanks, makes sense. Our long-term plan for the CLI is to migrate it to use fully use Helm in the backend, so instead of having Of course, that will require one to have Cilium installed via CLI or Helm (and not e.g. via a statically applied YAML), so the having a fallback which still works even if no Helm state is available would likely be nice to have regardless. But I'm not sure how feasible that will be. |
|
Tested this with
|
|
Thanks a lot. The diff approach is pretty clever!
Yeah, it's an unfortunate situation. Overall, I'm not too worried about the set of values, they are somewhat stable between releases, and often fall-back to a sensible default if a value is missing. If more Hubble-related values get added that break things, we'll hopefully catch it in CI.
If it's not too hard to implement, I think that would be ideal.
There is also an issue with
There is one shortcoming which just patching the ConfigMap - the But I'm fine to address that in a follow-up PR. Not even sure how to filter out that particular section when diffing the deployment. Maybe instead of automatically creating a patch based on the old and new Helm state, I would also be fine with having a hand-crafted JSON patch in case we don't have an old Helm state. And just try to apply that over the existing deployment. It would mean different paths depending on if we have the Helm state available or not, but might be more robust. |
|
I think this is fine to leave it without version check. Looking at file blame on master, the changes to this section were done 2 and 3 years ago (with one exception 5 months ago which was only a whitespace change). I didn't dig into having a hand-crafted JSON patch implementation, but it feels that it will be more awkward as it will require passing a new parameter along few functions calls, from As for the daemonset bug, it should be ok to leave for a follow-up PR because it is not a regression introduced in this PR. By default if no hubble parameters are specified, hubble is enabled both in I did find another issue though which is a regression compared to the current behavior when cilium is installed with cilium-cli. On released cilium-cli: $ cilium install
$ cilium hubble enable --ui # worksOn this PR: $ helm install ...
$ ./cilium hubble enable --ui
...
Error: Unable to enable Hubble: services "hubble-peer" already existsThis actually looks like Other than that it seems ok, the configmap values are preserved and |
|
|
||
| // all hubble values from `cilium-config“ configmap | ||
| // https://github.com/cilium/cilium/blob/d9a04be9d714e5f5544cbca7ef8db7a151bfce96/install/kubernetes/cilium/templates/cilium-configmap.yaml#L709-L750 | ||
| var HubbleKeys = []string{ |
There was a problem hiding this comment.
Can you add a quick comment as to what this array is for? And, perhaps, a follow-up PR in the helm chart that points users to this code if they add more hubble config keys?
There was a problem hiding this comment.
Done. On second thought - a key is a hubble related key if and only if it has hubble substring in its name, at least up until now this was always true. Would it be less hacky if we just check if the string contains hubble?
There was a problem hiding this comment.
Bah, I'm not sure. @chancez?
There was a problem hiding this comment.
Yeah, I like that proposal. Feel free to implement. But the manually maintained list also is fine, I don't expect too much churn.
There was a problem hiding this comment.
I'm not sure to be honest. I'd have to review all the flags in more detail. I think if your checking only for hubble then you will also catch the hubble-relay options, so that might be an issue?
There was a problem hiding this comment.
Hubble Relay options are stored in a different configmap. This map here is only read by the Cilium Agent and the Operator (the latter does not parse any Hubble values).
There was a problem hiding this comment.
Ah I didn't read the whole context, that makes sense.
|
Commit 6a64764 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
This needs to be addressed before the PR can be merged |
olga-mir
force-pushed
the
fix/issue-959-fix-hubble-cmd
branch
from
7cad3d4 to
854c3ca
Compare
|
the newbie mistake - merge commit caused by “update branch” in UI. I’ve removed the commit and had to force push the branch. |
|
@olga-mir There seems to be an issue with vendoring: Might be due to jsonpatch? Or is this a bug in CI? 🤔 |
… not exist This commit fixes hubble enable and disable commands which are broken when cilium initially was not installed with cilium-cli. In these cases `cilium-cli-helm-values` secret does not exist and all `cilium hubble` commands fail. Since hubble components are cherry-picked from the generated helm manifests, it should be safe to proceed without the full helm values state. We should not write the new helm state to the cluster so that if in the future other components need to use it, we don't inadvertently over shadow real installation parameters. Fixes: cilium#959 Signed-off-by: Olga Mirensky <5200844+olga-mir@users.noreply.github.com>
olga-mir
force-pushed
the
fix/issue-959-fix-hubble-cmd
branch
from
fdc5e5a to
a0846c1
Compare
|
there is no further changes to this PR, if we can leave this #1020 (comment) improvement to a follow up PR. |
Agreed, that can be done in a follow-up. Let's run CI and then this should be ready to merge. Thanks again @olga-mir! |
gandro
added
the
ready-to-merge
|
Thanks a lot for your fix 💯 , this issue was annoying as part of day to day cli usage 🎖️ |
… not exist
This commit fixes hubble enable and disable commands which are broken
when cilium initially was not installed with cilium-cli. In these cases
cilium-cli-helm-valuessecret does not exist and allcilium hubblecommands fail.
Since hubble components are cherry-picked from the generated helm manifests,
it should be safe to proceed without the full helm values state.
We should not write the new helm state to the cluster so that if in the
future other components need to use it, we don't inadvertently
over shadow real installation parameters.
Fixes: #959
Signed-off-by: Olga Mirensky 5200844+olga-mir@users.noreply.github.com