feat: generate tls certs for ui on helm install

install/kubernetes/cilium/README.md

@@ -236,6 +236,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.replicas | int | `1` | The number of replicas of Hubble UI to deploy. |
 | hubble.ui.rollOutPods | bool | `false` | Roll out Hubble-ui pods automatically when configmap is updated. |
 | hubble.ui.securityContext.enabled | bool | `true` | Whether to set the security context on the Hubble UI pods. |
+| hubble.ui.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values used to connect to hubble-relay This keypair is presented to Hubble Relay instances for mTLS authentication and is required when hubble.relay.tls.server.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |

install/kubernetes/cilium/templates/_helpers.tpl

@@ -71,6 +71,15 @@ tls.crt: {{ $cert.Cert | b64enc }}
 tls.key: {{ $cert.Key | b64enc }}
 {{- end }}
 
+{{- define "hubble.ui.gen-certs" }}
+{{- $ca := .ca | default (genCA "hubble-ca.cilium.io" (.Values.hubble.tls.auto.certValidityDuration | int)) -}}
+{{- $_ := set . "ca" $ca -}}
+{{- $cert := genSignedCert "*.hubble-ui.cilium.io" nil (list "*.hubble-ui.cilium.io") (.Values.hubble.tls.auto.certValidityDuration | int) $ca -}}
+ca.crt: {{ $ca.Cert | b64enc }}
+tls.crt: {{ $cert.Cert | b64enc }}
+tls.key: {{ $cert.Key | b64enc }}
+{{- end }}
+
 {{/* Generate CA "vmca" for clustermesh-apiserver in the global dict. */}}
 {{- define "clustermesh.apiserver.generate.ca" }}
 {{- $ca := .cmca | default (genCA "clustermesh-apiserver-ca.cilium.io" (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int)) -}}

install/kubernetes/cilium/templates/hubble-ui-client-tls-secret.yaml

@@ -0,0 +1,20 @@
+{{- if and (.Values.hubble.ui.enabled) (.Values.hubble.relay.tls.server.enabled) }}
+{{- $clientCertsProvided := and .Values.hubble.tls.ca.cert .Values.hubble.ui.tls.client.cert .Values.hubble.ui.tls.client.key }}
+{{- $hubbleCertsGenerate := and .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") -}}
+{{- if or $clientCertsProvided $hubbleCertsGenerate }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hubble-ui-client-certs
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+{{- if $hubbleCertsGenerate }}
+{{ include "hubble.ui.gen-certs" . | indent 2 }}
+{{- else }}
+  ca.crt: {{ .Values.hubble.tls.ca.cert }}
+  tls.crt: {{ .Values.hubble.ui.tls.client.cert }}
+  tls.key: {{ .Values.hubble.ui.tls.client.key }}
+{{- end }}
+{{- end }}
+{{- end }}

install/kubernetes/cilium/templates/hubble-ui-deployment.yaml

@@ -60,17 +60,34 @@ spec:
           env:
             - name: EVENTS_SERVER_PORT
               value: "8090"
-            - name: FLOWS_API_ADDR
 {{- if .Values.hubble.relay.tls.server.enabled }}
+            - name: FLOWS_API_ADDR
               value: "hubble-relay:443"
+            - name: TLS_TO_RELAY_ENABLED
+              value: "true"
+            - name: TLS_RELAY_SERVER_NAME
+              value: ui.hubble-relay.cilium.io
+            - name: TLS_RELAY_CA_CERT_FILES
+              value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt
+            - name: TLS_RELAY_CLIENT_CERT_FILE
+              value: /var/lib/hubble-ui/certs/client.crt
+            - name: TLS_RELAY_CLIENT_KEY_FILE
+              value: /var/lib/hubble-ui/certs/client.key
 {{- else }}
+            - name: FLOWS_API_ADDR
               value: "hubble-relay:80"
 {{- end }}
           ports:
             - containerPort: 8090
               name: grpc
           resources:
             {{- toYaml .Values.hubble.ui.backend.resources  | trim | nindent 12 }}
+          volumeMounts:
+            {{- if .Values.hubble.relay.tls.server.enabled }}
+            - mountPath: /var/lib/hubble-ui/certs
+              name: hubble-ui-client-certs
+              readOnly: true
+            {{- end }}
         - name: proxy
           image: "{{ .Values.hubble.ui.proxy.image.repository }}:{{ .Values.hubble.ui.proxy.image.tag }}"
           imagePullPolicy: {{ .Values.hubble.ui.proxy.image.pullPolicy }}
@@ -95,4 +112,18 @@ spec:
         - name: hubble-ui-envoy-yaml
           configMap:
             name: hubble-ui-envoy
+        {{- if .Values.hubble.relay.tls.server.enabled }}
+        - name: hubble-ui-client-certs
+          projected:
+            sources:
+            - secret:
+                name: hubble-ui-client-certs
+                items:
+                  - key: ca.crt
+                    path: hubble-relay-ca.crt
+                  - key: tls.crt
+                    path: client.crt
+                  - key: tls.key
+                    path: client.key
+        {{- end }}
 {{- end }}

install/kubernetes/cilium/values.yaml

@@ -731,6 +731,15 @@ hubble:
     # -- Roll out Hubble-ui pods automatically when configmap is updated.
     rollOutPods: false
 
+    tls:
+      # -- base64 encoded PEM values used to connect to hubble-relay
+      # This keypair is presented to Hubble Relay instances for mTLS
+      # authentication and is required when hubble.relay.tls.server.enabled is true.
+      # These values need to be set manually if hubble.tls.auto.enabled is false.
+      client:
+        cert: ""
+        key: ""
+
     backend:
       # -- Hubble-ui backend image.
       image: