[cilium] fix rbac and upgrade hubble v0.11.0 (#3) (#9959)

* [cilium] fix rbac and upgrade hubble v0.11.0 (#3) * [cilium] fix rbac for LB bgp ipam * [cilium] Upgrade Hubble to v0.11.0 and add mTLS between Hubble UI and Hubble Relay * fix dns domain hubble for tls --------- Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr> * Fix blank line --------- Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr>
2026-03-07 02:27:43 +03:00 · 2023-04-10 07:07:15 +02:00
parent fcb5e77338
commit 4a03d13d08
7 changed files with 66 additions and 28 deletions
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -273,3 +273,20 @@ cilium_rolling_restart_wait_retries_delay_seconds: 10
 cilium_agent_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9962', '9090') }}"
 cilium_operator_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9963', '6942') }}"
 cilium_hubble_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9965', '9091') }}"
+
+# Cilium certgen args for generate certificate for hubble mTLS
+cilium_certgen_args:
+  cilium-namespace: kube-system
+  ca-reuse-secret: true
+  ca-secret-name: hubble-ca-secret
+  ca-generate: true
+  ca-validity-duration: 94608000s
+  hubble-server-cert-generate: true
+  hubble-server-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
+  hubble-server-cert-validity-duration: 94608000s
+  hubble-server-cert-secret-name: hubble-server-certs
+  hubble-relay-client-cert-generate: true
+  hubble-relay-client-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
+  hubble-relay-client-cert-validity-duration: 94608000s
+  hubble-relay-client-cert-secret-name: hubble-relay-client-certs
+  hubble-relay-server-cert-generate: false