Add hubble helm charts to cilium install/kubernetes

[soumynathan]

Add hubble helm charts to cilium install/kubernetes

Fixes: #10647
Signed-off-by: Swaminathan Vasudevan svasudevan@suse.com

[maintainer-s-little-helper]

Please set the appropriate release note label.

[coveralls]

Coverage increased (+0.03%) to 44.651% when pulling ef7360c on soumynathan:add-hubble-helm-charts-to-cilium into 43570d5 on cilium:master.

[aanm]

please add the constraint to specify the priorityClassName based on the k8s version

[soumynathan]

Can you elaborate on this. I am not sure if I am getting it right.

[soumynathan]

I think I added similar to the one from the cilium/daemonset.yaml, to add constraints for k8s version.
Please let me know if this would work.

[aanm]

yes, that exactly.

[aanm]

@soumynathan this does not seem to be addressed

[soumynathan]

I will fix this, I am working on other values to be realigned.

[aanm]

test-me-please

[soumynathan]

test failure doesn't seem to relate to the patch.

[joestringer]

Following the Ginkgo link from the box at the bottom of the issue:

https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18092/

The tests that fail, fail on both k8s-1.11 and k8s-1.17 which suggests that the failure is reliable, not a flake.

Following one of the test links from the bottom of the page:

https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18092/testReport/junit/Suite-k8s-1/11/K8sChaosTest_Connectivity_demo_application_Endpoint_can_still_connect_while_Cilium_is_not_running/

Cilium cannot be installed
Expected
    <*helpers.cmdError | 0xc00041f870>: Unable to generate YAML (exit status 1) output: cmd: helm template /home/jenkins/workspace/Cilium-PR-Ginkgo-Tests-Validated/k8s-1.11-gopath/src/github.com/cilium/cilium/install/kubernetes/cilium --namespace=kube-system  --set global.k8sServicePort=6443  --set preflight.image=cilium-dev  --set global.psp.enabled=true  --set global.etcd.leaseTTL=30s  --set agent.image=cilium-dev  --set managed-etcd.registry=docker.io/cilium  --set global.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key=cilium.io/ci-node  --set global.debug.enabled=true  --set global.k8s.requireIPv4PodCIDR=true  --set operator.image=operator  --set global.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator=NotIn  --set global.nodePort.device=enp0s8  --set global.debug.verbose=flow  --set global.ipv6.enabled=true  --set global.tag=latest  --set global.registry=147.75.194.233/cilium  --set global.ipv4.enabled=true  --set global.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]=k8s3  --set global.k8sServiceHost=192.168.36.11  --set global.kubeProxyReplacement=strict  --set global.pprof.enabled=true  --set global.logSystemLoad=true  --set global.bpf.preallocateMaps=true  > cilium-15fe1b31abca9b8a.yaml
Exitcode: 1 
Stdout:
 	 
Stderr:
 	 Error: error unpacking hubble in cilium: cannot load values.yaml: error converting YAML to JSON: yaml: line 100: could not find expected ':'

This seems related to the PR.

Sidenote: The Travis failure looks like #10615 which should be fixed on master, so should be resolved after rebase.

[aanm]

test-me-please

EDIT: Provisioning failure:
https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18159/

[joestringer]

test-me-please

[soumynathan]

This is the change (hubble/values.yaml) that is causing the test to fail. ( NOT sure what is wrong with this) - Any thoughts

  priorityClassName: system-node-critical
{{- end }}

[soumynathan]

test-me-please

[aanm]

test-me-please

[gandro]

@soumynathan Thanks a lot for this PR!

I am however a bit wary of the implications the duplicated helm chart causes with regards to user experience and code maintenance

• Currently all documentation (e.g. Cilium 1.7 stable docs and the Markdown files inside the Hubble repository) refer to the chart over at https://github.com/cilium/hubble/tree/master/install/kubernetes. Should users continue to use the charts at cilium/hubble or should they use the ones in cilium/cilium?
• We have not even merged this PR yet, but the Helm charts have already started to diverge between the two repositories (e.g. the if-statement around the priorityClassName was implemented slightly differently in helm: Add priorityClassName for kube-system only hubble#189). This will only get worse over time.

I think we have to make a call which repository (cilium/hubble or cilium/cilium) should contain the Helm charts. If we decide that cilium/cilium is the repository with the charts, then we also need to update the documentation, add the Hubble charts to the CODEOWNERs for the @cilium/hubble team and remove it from the cilium/hubble repository.

I personally have no strong opinion in which repository the charts should live. I can see arguments for both: cilium/cilium has the better CI, but cilium/hubble is closer to the code, allowing atomic changes to e.g. command-line arguments and helm charts at the same time.

[tgraf]

Echoing what @gandro already wrote. Given that we have merged Hubble into Cilium. It makes more sense to integrate the Hubble helm charts directly into the Cilium Helm charts to allow enablement of Hubble via a single Helm option as it runs as part of Cilium.

[aanm]

@soumynathan Thanks a lot for this PR!

I am however a bit wary of the implications the duplicated helm chart causes with regards to user experience and code maintenance

• Currently all documentation (e.g. Cilium 1.7 stable docs and the Markdown files inside the Hubble repository) refer to the chart over at https://github.com/cilium/hubble/tree/master/install/kubernetes. Should users continue to use the charts at cilium/hubble or should they use the ones in cilium/cilium?
• We have not even merged this PR yet, but the Helm charts have already started to diverge between the two repositories (e.g. the if-statement around the priorityClassName was implemented slightly differently in cilium/hubble#189). This will only get worse over time.

I think we have to make a call which repository (cilium/hubble or cilium/cilium) should contain the Helm charts. If we decide that cilium/cilium is the repository with the charts, then we also need to update the documentation, add the Hubble charts to the CODEOWNERs for the @cilium/hubble team and remove it from the cilium/hubble repository.

I personally have no strong opinion in which repository the charts should live. I can see arguments for both: cilium/cilium has the better CI, but cilium/hubble is closer to the code, allowing atomic changes to e.g. command-line arguments and helm charts at the same time.

@gandro the helm charts could still live in cilium/hubble for developers. Once the hubble library version is updated in cilium/cilium/go.mod it would also update the helm charts in the same PR.

[gandro]

@gandro the helm charts could still live in cilium/hubble for developers. Once the hubble library version is updated in cilium/cilium/go.mod it would also update the helm charts in the same PR.

So a few of the developers working on Hubble discussed this PR offline a bit last week. Our conclusion (as @tgraf already mentioned) was that since we are sunsetting the Hubble "stand-alone mode" in favor of "embedded-mode" (PR #10238), we don't want the Hubble DaemonSet (the "stand-alone" mode) in the Cilium 1.8+ branch. Therefore it doesn't make much sense to me to add the additional maintenance burden of having to sync the Helm charts.

So going forward, the idea is that the helm charts in the cilium/cilium repository will be the ones that users should use to deploy hubble. However, instead of deploying the Hubble DaemonSet, we want the charts to enable the Hubble server running inside cilium-agent.

Stand-alone mode will continue to be available for users of Cilium 1.6 and 1.7, however it doesn't make sense to have these helm charts in the Cilium 1.8+ branch.

[aanm]

@soumynathan this does not seem to be addressed

[gandro]

As mentioned in #10648 (comment) we are deprecating this DaemonSet as of Cilium 1.8. Could you remove the hubble DaemonSet and all related values instead make sure the chart works with embedded Hubble? The config map for embedded Hubble is here (based on #10794):

https://github.com/cilium/cilium/blob/95f492f25d8ea7a1585503b36683eb690be40b5b/install/kubernetes/cilium/charts/config/templates/configmap.yaml#L363-L387

I think most of the work for the Hubble server itself is already done. The CRI metadata is not implemented in embedded Hubble, so that these values can be removed. I think the biggest change is extending the hubble-listen-addresses in the ConfigMap to add a listener on port 50051 when .Values.ui.enabled is true, similar to how this DaemonSet currently does it.

Please do not hesitate to reach out to either me other other folks in #hubble-devel on Slack if you have questions or need some help or pointers. Thanks!

[soumynathan]

Sure will address your comments and will contact you for any questions.

[soumynathan]

What do you think. Should I continue with this PR or drop it?

[gandro]

It's up to you. We do want to have the UI and other components part of the Helm chart eventually, so adapting this PR does make sense. Feel free to ping me privately if you need assistance!

[soumynathan]

It's up to you. We do want to have the UI and other components part of the Helm chart eventually, so adapting this PR does make sense. Feel free to ping me privately if you need assistance!

Sure will check with you.

[soumynathan]

It's up to you. We do want to have the UI and other components part of the Helm chart eventually, so adapting this PR does make sense. Feel free to ping me privately if you need assistance!

@gandro So in this case do you want me to completely remove the daemonset.yaml and incorporate the changes in the config/templates/configmap.yaml or want to create a configmap.yaml in hubble/templates/configmap,yaml and configure everything there. Can you confirm.

[gandro]

@gandro So in this case do you want me to completely remove the daemonset.yaml and incorporate the changes in the config/templates/configmap.yaml or want to create a configmap.yaml in hubble/templates/configmap,yaml and configure everything there. Can you confirm.

Kind of. So the way I imagine this is that there is not seperate hubble chart anymore, so hubble/templates/configmap,yaml should not exist. The only new chart should be the one for hubble-ui. hubble itself now lives inside cilium-agent. Therefore, all Hubble related values are set in config/templates/configmap.yaml.

I think the version you pushed now seems to already do that 🎉 I will do a more in depth review soon!

[gandro]

I just noticed that you also need to update the requirements.yaml to include the hubble-ui chart.

[aanm]

I'm not sure if this should be addressed here or in a follow up. For consistency across hubble and cilium, the user should specify the metrics server in the same way it configures it for Cilium. --set global.hubble.metricsServer is setting IP and port. In Cilium there's a flag dedicated for the address and another dedicated for port. cc @gandro

[gandro]

I agree, but let's do that in a follow-up.

[soumynathan]

So we will address this in the follow-up

[gandro]

@soumynathan Can you please add the hubble-ui chart to https://github.com/cilium/cilium/blob/master/install/kubernetes/cilium/requirements.yaml ?

[soumynathan]

@soumynathan Can you please add the hubble-ui chart to https://github.com/cilium/cilium/blob/master/install/kubernetes/cilium/requirements.yaml ?

Done.

[gandro]

Thanks @soumynathan - only two small changes requested.

[aanm]

test-me-please

[gandro]

Looking good! 🎉

[rolinh]

LGTM. I've added comments for a few points that need to be addressed in a follow-up PR once hubble-relay is included in the charts.

[rolinh]

Note to self: port 50051 will not work with hubble-relay. This needs to be addressed once hubble-relay is included in the charts.
cc @michi-covalent (as I think you're already working on the charts for hubble-relay).

[rolinh]

I think we want port 80/443 for hubble-ui but this can be addressed in a follow-up PR (cc @geakstr @michi-covalent)