Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support configuring TLS for hubble metrics server #31973

Merged
merged 1 commit into from
Apr 29, 2024
Merged

Support configuring TLS for hubble metrics server #31973

merged 1 commit into from
Apr 29, 2024

Conversation

chancez
Copy link
Contributor

@chancez chancez commented Apr 15, 2024
edited 

Support configuring TLS for hubble metrics server

Adds support for TLS and mTLS on the Hubble Metrics server. This allows Prometheus or other prometheus compatible scrapers to connect to the metrics endpoint using TLS and optionally authenticate access to metrics via mTLS.

This depends on cilium/certgen#199 so that the cronJob automatic TLS method can provision certs for the Hubble metrics server.

@chancez chancez added kind/feature This introduces new functionality. area/metrics Impacts statistics / metrics gathering, eg via Prometheus. sig/hubble Impacts hubble server or relay labels Apr 15, 2024
@chancez chancez self-assigned this Apr 15, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Apr 15, 2024
@chancez chancez force-pushed the pr/chancez/hubble_metrics_mtls branch from 8c0c10e to eb60b85 Compare April 17, 2024 18:55
@chancez
Copy link
Contributor Author

chancez commented Apr 18, 2024

Waiting on #32066

@chancez chancez force-pushed the pr/chancez/hubble_metrics_mtls branch 3 times, most recently from 3eb8a5a to d4251aa Compare April 22, 2024 21:00
@chancez
Copy link
Contributor Author

chancez commented Apr 22, 2024

/test

@chancez chancez marked this pull request as ready for review April 22, 2024 21:57
@chancez chancez requested review from a team as code owners April 22, 2024 21:57
nebril
nebril requested changes Apr 23, 2024
View reviewed changes
Copy link
Member

@nebril nebril left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! Great change to see overall. I have two small questions about messaging around erroring out from launchHubble function and the timeouts there, comments left inline.

daemon/cmd/hubble.go Outdated Show resolved Hide resolved
daemon/cmd/hubble.go Outdated Show resolved Hide resolved
@chancez chancez force-pushed the pr/chancez/hubble_metrics_mtls branch from d4251aa to 4cc9f7f Compare April 23, 2024 21:27
@chancez chancez requested a review from nebril April 23, 2024 22:00
@chancez
Copy link
Contributor Author

chancez commented Apr 23, 2024

/test

@chancez chancez force-pushed the pr/chancez/hubble_metrics_mtls branch from 4cc9f7f to 9521996 Compare April 24, 2024 18:15
@chancez
Copy link
Contributor Author

chancez commented Apr 24, 2024

Test failures look legit, trying to figure it out.

@chancez
Copy link
Contributor Author

chancez commented Apr 24, 2024

/test

@chancez chancez force-pushed the pr/chancez/hubble_metrics_mtls branch from 9521996 to db59f1b Compare April 24, 2024 21:59
@chancez
Copy link
Contributor Author

chancez commented Apr 24, 2024

/test

@kaworu kaworu added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Apr 26, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 26, 2024
kaworu
kaworu approved these changes Apr 26, 2024
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No strong objection, but not ideal to add more fuel to both using the cilium.io tld for certificates and more code in launchHubble().

daemon/cmd/hubble.go Outdated Show resolved Hide resolved
daemon/cmd/hubble.go Show resolved Hide resolved
@chancez
Support configuring TLS for hubble metrics server
8e45940 
Also supports using mTLS to secure access to the metrics endpoint.

Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
@chancez chancez force-pushed the pr/chancez/hubble_metrics_mtls branch from db59f1b to 8e45940 Compare April 26, 2024 14:03
@chancez
Copy link
Contributor Author

chancez commented Apr 26, 2024

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 26, 2024
@chancez chancez added this pull request to the merge queue Apr 29, 2024
Merged via the queue into main with commit 41408a7 Apr 29, 2024
265 checks passed
@chancez chancez deleted the pr/chancez/hubble_metrics_mtls branch April 29, 2024 21:00
@chancez chancez mentioned this pull request Apr 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@nebril nebril nebril approved these changes

@asauber asauber asauber approved these changes

Assignees

@chancez chancez

Labels
area/metrics Impacts statistics / metrics gathering, eg via Prometheus. kind/feature This introduces new functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/hubble Impacts hubble server or relay
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@chancez @kaworu @nebril @asauber