New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow installing hubble ui as standalone #17473
Conversation
Commit efaab453d6183f532a650be6ac5c3fb0c3cbd502 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Commit b31591c1edb5041af88478d477bc7c9a64e3eab1 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Hello, is there anything I can do to help moving forward ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @eddycharly and thank you for the PR.
Overall LGTM, but we need to figure out whether we need to generate the certificates for UI or not when .Values.hubble.ui.allowStandalone
is set.
Also there is this PR which aim to accomplish about the same thing (although in a different way). Personally, I like the explicit .Values.hubble.ui.allowStandalone
of this PR but let's see what the team think about it.
/cc @cilium/helm
@kaworu i pushed a version addressing the certs related comment. If hubble relay comes pre installed and tls is enabled on the server side, it should be the responsibility of the end user to provide the client certificates to hubble ui when installing it. For this, i added a An end user can install hubble ui with the following values file for example: agent: false
operator:
enabled: false
cni:
install: false
hubble:
enabled: false
relay:
enabled: false
tls:
server:
enabled: true
ui:
enabled: true
standalone:
enabled: true
certsVolume:
projected:
defaultMode: 420
sources:
- secret:
name: my-hubble-ui-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
- key: ca.crt
path: hubble-relay-ca.crt Of course this has to match the Hubble Relay config and is not trivial but i guess no magic can be done here, except allowing the end user to configure it and hope he's got the config right. At least i'm checking that a certs volume is provided when in standalone and relay tls is enabled. WDYT ? |
@kaworu do you have comments on the new changes related to certificates ? |
Hello, any chance to get more review on this PR ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @eddycharly,
The patch overall LGTM. I think we need to add documentation for this as this is a non-trivial use-case of install Hubble UI. I don't know where is the best place in the documentation for such a custom installation so I'm deferring to @cilium/docs-structure here.
Thanks @kaworu i'll try to find my way through the documentation process. |
@kaworu I added the section below in the README of the chart. WDYT ? Installing Hubble UI in standaloneClusters sometimes come with Cilium, Hubble and Hubble relay already installed. You will need to set Below is an example deploying Hubble UI as standalone, with client certificates mounted from a agent: false
operator:
enabled: false
cni:
install: false
hubble:
enabled: false
relay:
# set this to false as Hubble relay is already installed
enabled: false
tls:
server:
# set this to true if tls is enabled on Hubble relay server side
enabled: true
ui:
# enable Hubble UI
enabled: true
standalone:
# enable Hubble UI standalone deployment
enabled: true
# provide a volume containing Hubble relay client certificates to mount in Hubble UI pod
certsVolume:
projected:
defaultMode: 420
sources:
- secret:
name: my-hubble-ui-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
- key: ca.crt
path: hubble-relay-ca.crt Please note that Hubble UI expects the certificate files to be available under the following paths: - name: TLS_RELAY_CA_CERT_FILES
value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt
- name: TLS_RELAY_CLIENT_CERT_FILE
value: /var/lib/hubble-ui/certs/client.crt
- name: TLS_RELAY_CLIENT_KEY_FILE
value: /var/lib/hubble-ui/certs/client.key Keep this in mind when providing the volume containing the certificate. |
/test |
ConformanceEKS test failed but i don't think it's related to this PR 🤔 |
@eddycharly Could you rebase on top of |
@kaworu done 🤞 |
/test |
ConformanceEKS test failed again 😢 |
@kaworu sorry for pinging you again 🙈 Do you have an idea how to make the failing test green ? |
/ci-eks |
Finally, it's green 🎉 |
/test |
😢 |
test-runtime EDIT: vm provisioning failure Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment |
/mlh new-flake Cilium-PR-K8s-GKE 👍 created #17672 |
Thanks @rolinh ! |
It looks like the VM couldn't be provisioned again for the runtime test. I'll check with the CI team if there are infra issues or other known issues. |
/test-gke |
@eddycharly The runtime test failure is actually legit. Could you please run Relevant stack trace (click to expand)
|
@rolinh It doesn't seem to work for me, am i missing something ? Am i supposed to run that at the root of the repo ? $ make -C Documentation update-helm-values
make: *** No rule to make target `update-helm-values'. Stop. |
|
/test |
/test Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment Job 'Cilium-PR-K8s-1.21-kernel-4.9' failed and has not been observed before, so may be related to your PR: Click to show.Test Name
Failure Output
If it is a flake, comment |
@eddycharly Hi! Thanks you for your contribution! There is one more minor thing to fix with the documentation, I'm afraid. https://github.com/cilium/cilium/runs/3978620593?check_suite_focus=true, reports:
You can reproduce this by running:
As suggested by the check will result in the following diff:
Including this in your commits should fix the documentation failure. Thanks! |
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
@kkourt thanks ! |
/test |
/ci-gke |
Wow, all tests green ! 🎉 🍾 |
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
This PR allows installing hubble ui as standalone.
Sometimes, a cluster comes with culium and hubble relay already provisioned (kOps for example manages cilium and hubble relay). In this context, installing Hubble ui on top of the already installed components using the cilium helm chart would be very handy.