cilium · kkourt · Oct 25, 2021 · Oct 18, 2021
diff --git a/Documentation/gettingstarted/hubble.rst b/Documentation/gettingstarted/hubble.rst
@@ -52,6 +52,69 @@ If you have not done so already, enable the Hubble UI by running the following c
               --set hubble.relay.enabled=true \\
               --set hubble.ui.enabled=true
 
+    .. group-tab:: Helm (Standalone install)
+
+        Clusters sometimes come with Cilium, Hubble, and Hubble relay already installed.
+        When this is the case you can still use Helm to install only Hubble UI on top of the pre-installed components.
+
+        You will need to set ``hubble.ui.standalone.enabled`` to ``true`` and optionally provide a volume to mount
+        Hubble UI client certificates if TLS is enabled on Hubble Relay server side.
+
+        Below is an example deploying Hubble UI as standalone, with client certificates mounted from a ``my-hubble-ui-client-certs`` secret:
+
+        .. parsed-literal::
+
+            helm upgrade --install --namespace kube-system cilium |CHART_RELEASE| --values - <<EOF
+            agent: false
+            operator:
+              enabled: false
+            cni:
+              install: false
+            hubble:
+              enabled: false
+              relay:
+                # set this to false as Hubble relay is already installed
+                enabled: false
+                tls:
+                  server:
+                    # set this to true if tls is enabled on Hubble relay server side
+                    enabled: true
+            ui:
+              # enable Hubble UI
+              enabled: true
+              standalone:
+                # enable Hubble UI standalone deployment
+                enabled: true
+                # provide a volume containing Hubble relay client certificates to mount in Hubble UI pod
+                certsVolume:
+                  projected:
+                    defaultMode: 0400
+                    sources:
+                      - secret:
+                          name: my-hubble-ui-client-certs
+                          items:
+                            - key: tls.crt
+                              path: client.crt
+                            - key: tls.key
+                              path: client.key
+                            - key: ca.crt
+                              path: hubble-relay-ca.crt
+            EOF
+
+
+        Please note that Hubble UI expects the certificate files to be available under the following paths:
+
+        .. code-block:: shell-session
+
+            - name: TLS_RELAY_CA_CERT_FILES
+              value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt
+            - name: TLS_RELAY_CLIENT_CERT_FILE
+              value: /var/lib/hubble-ui/certs/client.crt
+            - name: TLS_RELAY_CLIENT_KEY_FILE
+              value: /var/lib/hubble-ui/certs/client.key
+
+        Keep this in mind when providing the volume containing the certificate.
+
 
 Open the Hubble UI
 ==================

diff --git a/Documentation/gettingstarted/hubble_setup.rst b/Documentation/gettingstarted/hubble_setup.rst
@@ -92,7 +92,6 @@ Enable Hubble in Cilium
               --set hubble.relay.enabled=true \\
               --set hubble.ui.enabled=true
 
-
 Install the Hubble Client
 =========================
 

diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/Documentation/spelling_wordlist.txt b/Documentation/spelling_wordlist.txt
@@ -222,6 +222,7 @@ certManagerIssuerRef
 certValidityDuration
 certgen
 certmanager
+certsVolume
 cgroup
 chainingMode
 changelog

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -249,6 +249,8 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.replicas | int | `1` | The number of replicas of Hubble UI to deploy. |
 | hubble.ui.rollOutPods | bool | `false` | Roll out Hubble-ui pods automatically when configmap is updated. |
 | hubble.ui.securityContext.enabled | bool | `true` | Whether to set the security context on the Hubble UI pods. |
+| hubble.ui.standalone.enabled | bool | `false` | When true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` |
+| hubble.ui.standalone.tls.certsVolume | object | `{}` | When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates. |
 | hubble.ui.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values used to connect to hubble-relay This keypair is presented to Hubble Relay instances for mTLS authentication and is required when hubble.relay.tls.server.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |

diff --git a/install/kubernetes/cilium/templates/NOTES.txt b/install/kubernetes/cilium/templates/NOTES.txt
@@ -11,6 +11,8 @@
     {{- end }}
 {{- else if .Values.hubble.enabled }}
     You have successfully installed {{ title .Chart.Name }} with Hubble.
+{{- else if (and (.Values.hubble.ui.enabled) (.Values.hubble.ui.standalone.enabled)) }}
+    You have successfully installed {{ title .Chart.Name }} with standalone Hubble UI.
 {{- else }}
     You have successfully installed {{ title .Chart.Name }}.
 {{- end }}

diff --git a/install/kubernetes/cilium/templates/hubble-ui/clusterrole.yaml b/install/kubernetes/cilium/templates/hubble-ui/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.serviceAccounts.ui.create }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/install/kubernetes/cilium/templates/hubble-ui/clusterrolebinding.yaml b/install/kubernetes/cilium/templates/hubble-ui/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/install/kubernetes/cilium/templates/hubble-ui/configmap.yaml b/install/kubernetes/cilium/templates/hubble-ui/configmap.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }}
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/install/kubernetes/cilium/templates/hubble-ui/deployment.yaml b/install/kubernetes/cilium/templates/hubble-ui/deployment.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }}
 kind: Deployment
 apiVersion: apps/v1
 metadata:
@@ -119,6 +119,9 @@ spec:
           name: hubble-ui-envoy
       {{- if .Values.hubble.relay.tls.server.enabled }}
       - name: hubble-ui-client-certs
+      {{- if .Values.hubble.ui.standalone.enabled }}
+        {{- toYaml .Values.hubble.ui.standalone.tls.certsVolume | nindent 8 }}
+      {{- else }}
         projected:
           # note: the leading zero means this number is in octal representation: do not remove it
           defaultMode: 0400
@@ -133,4 +136,5 @@ spec:
                 - key: tls.key
                   path: client.key
       {{- end }}
+      {{- end }}
 {{- end }}
diff --git a/install/kubernetes/cilium/templates/hubble-ui/ingress.yaml b/install/kubernetes/cilium/templates/hubble-ui/ingress.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }}
 apiVersion: {{ template "ingress.apiVersion" . }}
 kind: Ingress
 metadata:

diff --git a/install/kubernetes/cilium/templates/hubble-ui/service.yaml b/install/kubernetes/cilium/templates/hubble-ui/service.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }}
 kind: Service
 apiVersion: v1
 metadata:

diff --git a/install/kubernetes/cilium/templates/hubble-ui/serviceaccount.yaml b/install/kubernetes/cilium/templates/hubble-ui/serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.hubble.enabled .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }}
+{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/install/kubernetes/cilium/templates/validate.yaml b/install/kubernetes/cilium/templates/validate.yaml
@@ -1,9 +1,14 @@
 {{/* validate hubble config */}}
-{{- if .Values.hubble.ui.enabled }}
+{{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }}
   {{- if not .Values.hubble.relay.enabled }}
     {{ fail "Hubble UI requires .Values.hubble.relay.enabled=true" }}
   {{- end }}
 {{- end }}
+{{- if and .Values.hubble.ui.enabled .Values.hubble.ui.standalone.enabled .Values.hubble.relay.tls.server.enabled }}
+  {{- if not .Values.hubble.ui.standalone.tls.certsVolume }}
+    {{ fail "Hubble UI in standalone with Hubble Relay server TLS enabled requires providing .Values.hubble.ui.standalone.tls.certsVolume for mounting client certificates in the backend pod" }}
+  {{- end }}
+{{- end }}
 {{- if .Values.hubble.relay.enabled }}
   {{- if not .Values.hubble.enabled }}
     {{ fail "Hubble Relay requires .Values.hubble.enabled=true" }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -756,6 +756,30 @@ hubble:
     # -- Whether to enable the Hubble UI.
     enabled: false
 
+    standalone:
+      # -- When true, it will allow installing the Hubble UI only, without checking dependencies.
+      # It is useful if a cluster already has cilium and Hubble relay installed and you just
+      # want Hubble UI to be deployed.
+      # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui`
+      enabled: false
+
+      tls:
+        # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required
+        # to provide a volume for mounting the client certificates.
+        certsVolume: {}
+          # projected:
+          #   defaultMode: 0400
+          #   sources:
+          #   - secret:
+          #       name: hubble-ui-client-certs
+          #       items:
+          #       - key: tls.crt
+          #         path: client.crt
+          #       - key: tls.key
+          #         path: client.key
+          #       - key: ca.crt
+          #         path: hubble-relay-ca.crt
+
     # -- Roll out Hubble-ui pods automatically when configmap is updated.
     rollOutPods: false