Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

examples: add an example of a hubble-cli Deployment #16459

Merged
merged 1 commit into from Jun 8, 2021
Merged

examples: add an example of a hubble-cli Deployment #16459

merged 1 commit into from Jun 8, 2021

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented Jun 7, 2021
edited

NOTE: This PR aim to replace both #14615 (which make little sense now that we don't have the auto-generated install.yaml stuff) and cilium/cilium-cli#172 (which has its own limitations with respect to Huble TLS layout changes).There is a corresponding backport PR of this targeting v1.9 at #16460.

In order to debug Relay to Hubble connectivity issues, it is sometimes useful to have a Pod running with the Hubble CLI.

Because the Relay image is based on a scratch image, kubectl exec'ing into it is not possible. While the Hubble CLI can be found in the Cilium Pods, the Relay certificate needed to establish the mTLS handshake to the Hubble server is not mounted into the Cilium Pods.

This commit introduce a new hubble-cli Deployment example. When debugging Relay mTLS issues, it can be used to quickly run a hubble-cli Pod:

kubectl apply -n kube-system -f url/to/hubble-cli.yaml

Since the Relay mTLS certificates are mounted into the hubble-cli Pods, one can connect to a Hubble server given it's IP address and ServerName:

kubectl exec -it -n kube-system deployment/hubble-cli -- \
    hubble observe --server tls://${IP?}:4244 \
        --tls-server-name ${SERVERNAME?} \
        --tls-ca-cert-files /var/lib/hubble-relay/tls/hubble-server-ca.crt \
        --tls-client-cert-file /var/lib/hubble-relay/tls/client.crt \
        --tls-client-key-file /var/lib/hubble-relay/tls/client.key

Both ${IP} and ${SERVERNAME} can be obtained by either looking at the Hubble Relay Pod logs or alternatively by running:

kubectl exec -it -n kube-system deployment/hubble-cli -- \
    hubble watch peers --server unix:///var/run/cilium/hubble.sock

@kaworu kaworu added kind/enhancement This would improve or streamline existing functionality. area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. sig/hubble Impacts hubble server or relay needs-backport/1.10 labels Jun 7, 2021
@kaworu kaworu requested a review from a team as a code owner June 7, 2021 15:47
@kaworu kaworu requested a review from qmonnet June 7, 2021 15:47
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 7, 2021
@kaworu kaworu added the release-note/misc This PR makes changes that have no direct user impact. label Jun 7, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 7, 2021
@kaworu kaworu force-pushed the pr/kaworu/hubble-cli.yaml branch from 740999c to dc8bce6 Compare June 7, 2021 15:49
@kaworu kaworu mentioned this pull request Jun 7, 2021
Merged
qmonnet
qmonnet approved these changes Jun 7, 2021
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would that make sense to mention this deployment somewhere in the documentation?

@kaworu kaworu force-pushed the pr/kaworu/hubble-cli.yaml branch from dc8bce6 to aefda4b Compare June 7, 2021 16:20
@kaworu
examples: add an example of a hubble-cli Deployment
aefda4b 
In order to debug Relay to Hubble connectivity issues, it is sometimes
useful to have a Pod running with the Hubble CLI.

Because the Relay image is based on a scratch image, kubectl exec'ing
into it is not possible. While the Hubble CLI can be found in the Cilium
Pods, the Relay certificate needed to establish the mTLS handshake to
the Hubble server is not mounted into the Cilium Pods.

This commit introduce a new hubble-cli Deployment example. When
debugging Relay mTLS issues, it can be used to quickly run a hubble-cli
Pod:

    kubectl apply -n kube-system -f path/to/hubble-cli.yaml

Since the Relay mTLS certificates are mounted into the hubble-cli Pods,
one can connect to a Hubble server given it's IP address and ServerName:

    kubectl exec -it -n kube-system deployment/hubble-cli -- \
        hubble observe --server tls://${IP?}:4244 \
            --tls-server-name ${SERVERNAME?} \
            --tls-ca-cert-files /var/lib/hubble-relay/tls/hubble-server-ca.crt \
            --tls-client-cert-file /var/lib/hubble-relay/tls/client.crt \
            --tls-client-key-file /var/lib/hubble-relay/tls/client.key

Both ${IP} and ${SERVERNAME} can be obtained by either looking at the
Hubble Relay Pod logs or alternatively by running:

    kubectl exec -it -n kube-system deployment/hubble-cli -- \
        hubble watch peers --server unix:///var/run/cilium/hubble.sock

Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
gandro
gandro approved these changes Jun 7, 2021
View reviewed changes
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deployment itself looks good to me!

I am a bit worried about maintainability, e.g. changes to hubble-relay-client-certs, or the Hubble version getting bumped but this file getting left behind. The former is probably rare at this point, but see my inline comment for the latter.

examples/hubble/hubble-cli.yaml Show resolved Hide resolved
@rolinh rolinh mentioned this pull request Jun 8, 2021
Closed
@nathanjsweet nathanjsweet merged commit 97c73d1 into cilium:master Jun 8, 2021
@gandro gandro mentioned this pull request Jun 14, 2021
Merged
@kaworu kaworu mentioned this pull request Jun 15, 2021
Merged
@kaworu kaworu deleted the pr/kaworu/hubble-cli.yaml branch June 15, 2021 10:17
@kaworu
Copy link
Member Author

kaworu commented Jun 15, 2021
edited

I am a bit worried about maintainability, e.g. changes to hubble-relay-client-certs, or the Hubble version getting bumped but this file getting left behind. The former is probably rare at this point, but see my inline comment for the latter.

@gandro About the former: changing anything (even trivial) in the TLS Secrets is already difficult as one has to go through updating several repositories (certgen, cilium, and cilium-cli), I don't think it's possible without git grepping for hubble-relay-client-certs which should catch this file as well. Hope that this explanation can ease your mind :)

This was referenced Jun 15, 2021
Closed
Closed
@aanm aanm mentioned this pull request Jun 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rolinh rolinh rolinh approved these changes

@gandro gandro gandro approved these changes

@qmonnet qmonnet qmonnet approved these changes

@michi-covalent michi-covalent michi-covalent approved these changes

Assignees
No one assigned
Labels
area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. kind/enhancement This would improve or streamline existing functionality. release-note/misc This PR makes changes that have no direct user impact. sig/hubble Impacts hubble server or relay
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@kaworu @gandro @rolinh @qmonnet @michi-covalent @nathanjsweet @aanm