install: Provide quick-hubble-install.yaml for Relay and UI #14221
Conversation
The `certloader` package used by Hubble to load the certificates is watching the file system for certificate updates. In case certificates do not exist yet, it is able to hold off creating the API endpoint until the certificates are created (e.g. by the `certgen` K8s cronjob). With this change, the daemon will print the message about missing certificates only once, instead of every 30 seconds. This is to simplify the deployment of Hubble Relay (see subsequent commits). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
To use Hubble Relay for cluster-wide visibility, the Cilium agent needs to expose the Hubble API on a (mTLS-protected) port, which is done via the `listenAddress` Helm value. Unfortunately, enabling that port requires changes to the Cilium agent DaemonSet, making it quite involved to enable Hubble Relay on an existing installation if Cilium was installed without Helm. This commit therefore enables `hubble.listenAddress` by default. The address is mTLS protected, therefore the overall operational impact of this is low. `hubble.listenAddress` can safely be enabled without providing the mTLS certificates and keys used to protect it. In that case, the port will not be opened until the certificates are provided (e.g. by creating the necessary K8s secrets), which can be done without a restart of cilium-agent. When installing Cilium via Helm, the certificates and keys are automatically generated at installation time (`hubble.tls.auto`). If Cilium is installed via quick-install.yaml, the certificates and keys are _not_ part of the pre-generated YAML to avoid accidental key-reuse. However, they can easily be generated after installation either manually with `kubectl create secret` or via `certgen`. Helper commands and documentation for this are added in subsequent commits. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This commit adds a new `quick-hubble-install.yaml` which is intended to be installed on top of a existing `quick-install.yaml` to deploy Hubble Relay and UI. It deploys `certgen` to create the necessary certificates in the cluster. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added
release-note/minor
gandro
force-pushed
the
pr/gandro/enable-hubble-listen-address-by-default
branch
2 times, most recently
from
d7ba39a
to
75f993e
Compare
gandro
force-pushed
the
pr/gandro/enable-hubble-listen-address-by-default
branch
from
75f993e
to
5f00eee
Compare
| @@ -159,6 +159,7 @@ contributors across the globe, there is almost always someone available to help. | |||
| | hostServices.enabled | bool | `false` | Enable host reachable services. | | |||
| | hostServices.protocols | string | `"tcp,udp"` | Supported list of protocols to apply ClusterIP translation to. | | |||
| | hubble.enabled | bool | `true` | Enable Hubble (true by default). | | |||
| | hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. | | |||
There was a problem hiding this comment.
not directly related to this PR, but i guess relay can now use hubble.listenAddress to figure out which port hubble is listening on instead of assuming 4244 cc @rolinh
There was a problem hiding this comment.
Hubble Relay is relying solely on the peer service and making it rely on other sources could create inconsistencies.
IIRC, the peer service already uses this value and assume it's the same one for every peer (I'd need to check to be sure, it could also just be using the default value for the port in the code).
There was a problem hiding this comment.
@rolinh The peer service doesn't provide the port in the ChangeNotification, only the IP address:
cilium/pkg/hubble/peer/handler.go
Lines 142 to 154 in 2e3b9e8
Then relay assume the default port (hardcoded constant):
cilium/pkg/hubble/peer/types/peer.go
Line 87 in 45b5abf
There was a problem hiding this comment.
@kaworu Ah right, I remember now. I think this information should be added to the peer service. IIRC, Relay uses the default value for the port if the peer service does not provide this information already.
There was a problem hiding this comment.
@rolinh agreed, we already have an issue for that FWIW.
|
test-me-please |
| @@ -159,6 +159,7 @@ contributors across the globe, there is almost always someone available to help. | |||
| | hostServices.enabled | bool | `false` | Enable host reachable services. | | |||
| | hostServices.protocols | string | `"tcp,udp"` | Supported list of protocols to apply ClusterIP translation to. | | |||
| | hubble.enabled | bool | `true` | Enable Hubble (true by default). | | |||
| | hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. | | |||
There was a problem hiding this comment.
Hubble Relay is relying solely on the peer service and making it rely on other sources could create inconsistencies.
IIRC, the peer service already uses this value and assume it's the same one for every peer (I'd need to check to be sure, it could also just be using the default value for the port in the code).
There was a problem hiding this comment.
LGTM.
Can you also help to add one more entry to avoid drift ?
cilium/.github/workflows/smoke-test.yaml
Lines 56 to 59 in 2e3b9e8
Done! Thanks! |
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds the `quick-hubble-install.yaml` installation method to the "Enable Hubble" section. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This adds the hubble-enable.rst section to more installation guides. The Hubble section is still missing from some installation methods, such as kops, microk8s, and okd/openshift, as they rely neither on `helm install`, nor `quick-install.yaml` and likely need custom instructions. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
force-pushed
the
pr/gandro/enable-hubble-listen-address-by-default
branch
from
d7675f5
to
70a2acb
Compare
|
test-me-please |
gandro
added
the
ready-to-merge
joestringer
deleted the
pr/gandro/enable-hubble-listen-address-by-default
branch
|
Do we still need |
I'd say so, yes. This allows to enable beta/experimental features to make it easier for users to try out. |
This seems like a pretty solid usability win. I've seen users on Slack who install Cilium via kops or use GKE dataplane v2 wondering how they can enable hubble in their clusters without reworking the way that they deploy Cilium. I presume those are the kind of cases that this PR is aimed to simplify? There's certainly an open question about default-deploying with the additional socket. Performance-wise I don't think it will make a meaningful difference as hubble is already enabled by default in the agent. Security-wise I understand we require mTLS on the socket but I don't have too much more understanding of the implications on that side. The other side is that we won't do 1.10 for a few months so Hubble will be naturally a little harder to deploy during that period. Then the sooner we make the change, the more impact that choice has.
For this reason, if we decide to backport, I would suggest splitting the functional changes from the docs, do the functional changes first, then release 1.9.2, then backport & fix up the docs. Otherwise we would need to add "Upgrade to 1.9.2" type statements into the docs prior to the 1.9.2 release, which would be immediately rendered on http://docs.cilium.io/en/v1.9 , and would be very confusing for the period between merging the changes and actually releasing them. |
Exactly. I also think it's a very solid usability win. Without this PR, it's virtually impossible for users who don't use Helm to enable Hubble Relay/Hubble UI.
This means a TLS certificate trusted by the CA needs to be presented by a client to connect to a Hubble endpoint or the access is denied. Only Hubble Relay is allowed access. The important point to note though is that until a TLS keypair is added for Hubble server, the agent won't listen on port |
Yes. With the way this PR is set up right now, we are creating the mTLS secrets via Helm even if the user will never install Relay. This is something we could and probably should tweak a bit and ensure that the server certificates are only generated by Helm if In that case, the Hubble API port will never even be opened until the secrets are created (either by running Lines 188 to 197 in 70a2acb
Very good point! |
This is a very good point. I think it indeed makes sense to add an |
The Hubble API exposed by Cilium Agent and used by Hubble Relay is protected by mTLS by default. Since #14221, the Cilium DaemonSet is configured to open that API endpoint by default, this makes the deployment of Relay on top of an already existing Cilium installation easier. However, because the Hubble API is only ever accessed by Relay, there is no point in deploying the mTLS secrets before Relay is deployed. Thus, this commit only deploys the Helm-generated mTLS secrets when Relay is enabled. This also means that listening on the Hubble API port is will be delayed until the certs are in created in Kubernetes. Once the certs are created, the port will be opened without a pod restart, as we are watching for the certificate creation on the volume mount via the `certloader` package. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
The Hubble API exposed by Cilium Agent and used by Hubble Relay is protected by mTLS by default. Since #14221, the Cilium DaemonSet is configured to open that API endpoint by default, this makes the deployment of Relay on top of an already existing Cilium installation easier. However, because the Hubble API is only ever accessed by Relay, there is no point in deploying the mTLS secrets before Relay is deployed. Thus, this commit only deploys the Helm-generated mTLS secrets when Relay is enabled. This also means that listening on the Hubble API port is will be delayed until the certs are in created in Kubernetes. Once the certs are created, the port will be opened without a pod restart, as we are watching for the certificate creation on the volume mount via the `certloader` package. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
The Hubble API exposed by Cilium Agent and used by Hubble Relay is protected by mTLS by default. Since #14221, the Cilium DaemonSet is configured to open that API endpoint by default, this makes the deployment of Relay on top of an already existing Cilium installation easier. However, because the Hubble API is only ever accessed by Relay, there is no point in deploying the mTLS secrets before Relay is deployed. Thus, this commit only deploys the Helm-generated mTLS secrets when Relay is enabled. This also means that listening on the Hubble API port is will be delayed until the certs are in created in Kubernetes. Once the certs are created, the port will be opened without a pod restart, as we are watching for the certificate creation on the volume mount via the `certloader` package. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit de8b14e ] The Hubble API exposed by Cilium Agent and used by Hubble Relay is protected by mTLS by default. Since #14221, the Cilium DaemonSet is configured to open that API endpoint by default, this makes the deployment of Relay on top of an already existing Cilium installation easier. However, because the Hubble API is only ever accessed by Relay, there is no point in deploying the mTLS secrets before Relay is deployed. Thus, this commit only deploys the Helm-generated mTLS secrets when Relay is enabled. This also means that listening on the Hubble API port is will be delayed until the certs are in created in Kubernetes. Once the certs are created, the port will be opened without a pod restart, as we are watching for the certificate creation on the volume mount via the `certloader` package. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
[ upstream commit de8b14e ] The Hubble API exposed by Cilium Agent and used by Hubble Relay is protected by mTLS by default. Since #14221, the Cilium DaemonSet is configured to open that API endpoint by default, this makes the deployment of Relay on top of an already existing Cilium installation easier. However, because the Hubble API is only ever accessed by Relay, there is no point in deploying the mTLS secrets before Relay is deployed. Thus, this commit only deploys the Helm-generated mTLS secrets when Relay is enabled. This also means that listening on the Hubble API port is will be delayed until the certs are in created in Kubernetes. Once the certs are created, the port will be opened without a pod restart, as we are watching for the certificate creation on the volume mount via the `certloader` package. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This PR aims to streamline the installation of Hubble (Relay and UI) a bit by providing a
quick-hubble-install.yamlwhich can be applied on top of the existingquick-install.yaml:To make the above work, the
listenAddressneeds to be set by default, as otherwise installing Relay requires modifications to the cilium DaemonSet. The Hubble listen address is mTLS protected, therefore the overall operational impact of this should be low:hubble.listenAddresscan safely be enabled without providing the mTLS certificates and keys used to protect it. In that case, the port will not be opened until the certificates are provided (e.g. by creating the necessary K8s secrets), which can be done without a restart of cilium-agent.When installing Cilium via Helm, the certificates and keys are automatically generated at installation time (
hubble.tls.auto).If Cilium is installed via
quick-install.yaml, the certificates and keys are not part of the pre-generated YAML to avoid accidental key-reuse. They will be generated viacertgenin thequick-hubble-install.yamlinstead.The documentation is updated to refer to the
quick-hubble-install.yamlwhere it makes sense. See commit messages for more details.Unresolved questions:
quick-hubble-install.yamlover an older 1.9.0 installation, which will not work (aslistenAddressis not set in 1.9.0).