New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
examples: add an example of a hubble-cli Deployment #16459
Conversation
740999c
to
dc8bce6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would that make sense to mention this deployment somewhere in the documentation?
dc8bce6
to
aefda4b
Compare
In order to debug Relay to Hubble connectivity issues, it is sometimes useful to have a Pod running with the Hubble CLI. Because the Relay image is based on a scratch image, kubectl exec'ing into it is not possible. While the Hubble CLI can be found in the Cilium Pods, the Relay certificate needed to establish the mTLS handshake to the Hubble server is not mounted into the Cilium Pods. This commit introduce a new hubble-cli Deployment example. When debugging Relay mTLS issues, it can be used to quickly run a hubble-cli Pod: kubectl apply -n kube-system -f path/to/hubble-cli.yaml Since the Relay mTLS certificates are mounted into the hubble-cli Pods, one can connect to a Hubble server given it's IP address and ServerName: kubectl exec -it -n kube-system deployment/hubble-cli -- \ hubble observe --server tls://${IP?}:4244 \ --tls-server-name ${SERVERNAME?} \ --tls-ca-cert-files /var/lib/hubble-relay/tls/hubble-server-ca.crt \ --tls-client-cert-file /var/lib/hubble-relay/tls/client.crt \ --tls-client-key-file /var/lib/hubble-relay/tls/client.key Both ${IP} and ${SERVERNAME} can be obtained by either looking at the Hubble Relay Pod logs or alternatively by running: kubectl exec -it -n kube-system deployment/hubble-cli -- \ hubble watch peers --server unix:///var/run/cilium/hubble.sock Signed-off-by: Alexandre Perrin <alex@kaworu.ch>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deployment itself looks good to me!
I am a bit worried about maintainability, e.g. changes to hubble-relay-client-certs
, or the Hubble version getting bumped but this file getting left behind. The former is probably rare at this point, but see my inline comment for the latter.
@gandro About the former: changing anything (even trivial) in the TLS Secrets is already difficult as one has to go through updating several repositories (certgen, cilium, and cilium-cli), I don't think it's possible without git grepping for |
NOTE: This PR aim to replace both #14615 (which make little sense now that we don't have the auto-generated install.yaml stuff) and cilium/cilium-cli#172 (which has its own limitations with respect to Huble TLS layout changes).There is a corresponding backport PR of this targeting v1.9 at #16460.
In order to debug Relay to Hubble connectivity issues, it is sometimes useful to have a Pod running with the Hubble CLI.
Because the Relay image is based on a scratch image, kubectl exec'ing into it is not possible. While the Hubble CLI can be found in the Cilium Pods, the Relay certificate needed to establish the mTLS handshake to the Hubble server is not mounted into the Cilium Pods.
This commit introduce a new hubble-cli Deployment example. When debugging Relay mTLS issues, it can be used to quickly run a hubble-cli Pod:
Since the Relay mTLS certificates are mounted into the hubble-cli Pods, one can connect to a Hubble server given it's IP address and ServerName:
Both
${IP}
and${SERVERNAME}
can be obtained by either looking at the Hubble Relay Pod logs or alternatively by running: