[cilium] fix rbac and upgrade hubble v0.11.0 (#3) (#9959)

* [cilium] fix rbac and upgrade hubble v0.11.0 (#3) * [cilium] fix rbac for LB bgp ipam * [cilium] Upgrade Hubble to v0.11.0 and add mTLS between Hubble UI and Hubble Relay * fix dns domain hubble for tls --------- Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr> * Fix blank line --------- Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr>
2026-03-09 11:47:47 +03:00 · 2023-04-10 07:07:15 +02:00
parent fcb5e77338
commit 4a03d13d08
7 changed files with 66 additions and 28 deletions
--- a/roles/network_plugin/cilium/templates/hubble/cronjob.yml.j2
+++ b/roles/network_plugin/cilium/templates/hubble/cronjob.yml.j2
@@ -29,19 +29,10 @@ spec:
              # line args instead of via config map. This allows users to inspect
              # the values used in past runs by inspecting the completed pod.
              args:
-                - "--cilium-namespace=kube-system"
-                - "--ca-reuse-secret=true"
-                - "--ca-secret-name=hubble-ca-secret"
-                - "--ca-generate=true"
-                - "--ca-validity-duration=94608000s"
-                - "--hubble-server-cert-generate=true"
-                - "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
-                - "--hubble-server-cert-validity-duration=94608000s"
-                - "--hubble-server-cert-secret-name=hubble-server-certs"
-                - "--hubble-relay-client-cert-generate=true"
-                - "--hubble-relay-client-cert-validity-duration=94608000s"
-                - "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
-                - "--hubble-relay-server-cert-generate=false"
+              {% for key, value in cilium_certgen_args.items() -%}
+                - "--{{ key }}={{ value }}"
+              {% endfor %}
+
          hostNetwork: true
          restartPolicy: OnFailure
      ttlSecondsAfterFinished: 1800
--- a/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2
@@ -138,8 +138,28 @@ spec:
          env:
            - name: EVENTS_SERVER_PORT
              value: "8090"
+            {% if cilium_hubble_tls_generate -%}
+            - name: TLS_TO_RELAY_ENABLED
+              value: "true"
+            - name: FLOWS_API_ADDR
+              value: "hubble-relay:443"
+            - name: TLS_RELAY_SERVER_NAME
+              value: ui.{{ cilium_cluster_name }}.hubble-grpc.cilium.io
+            - name: TLS_RELAY_CA_CERT_FILES
+              value: /var/lib/hubble-ui/certs/hubble-server-ca.crt
+            - name: TLS_RELAY_CLIENT_CERT_FILE
+              value: /var/lib/hubble-ui/certs/client.crt
+            - name: TLS_RELAY_CLIENT_KEY_FILE
+              value: /var/lib/hubble-ui/certs/client.key
+            {% else -%}
            - name: FLOWS_API_ADDR
              value: "hubble-relay:80"
+            {% endif %}
+
+          volumeMounts:
+            - name: tls
+              mountPath: /var/lib/hubble-ui/certs
+              readOnly: true
          ports:
            - containerPort: 8090
              name: grpc
@@ -150,5 +170,17 @@ spec:
            defaultMode: 420
            name: hubble-ui-nginx
          name: hubble-ui-nginx-conf
+        - projected:
+            sources:
+            - secret:
+                name: hubble-relay-client-certs
+                items:
+                  - key: ca.crt
+                    path: hubble-server-ca.crt
+                  - key: tls.crt
+                    path: client.crt
+                  - key: tls.key
+                    path: client.key
+          name: tls
        - emptyDir: {}
          name: tmp-dir
--- a/roles/network_plugin/cilium/templates/hubble/job.yml.j2
+++ b/roles/network_plugin/cilium/templates/hubble/job.yml.j2
@@ -25,19 +25,10 @@ spec:
          # line args instead of via config map. This allows users to inspect
          # the values used in past runs by inspecting the completed pod.
          args:
-            - "--cilium-namespace=kube-system"
-            - "--ca-reuse-secret=true"
-            - "--ca-secret-name=hubble-ca-secret"
-            - "--ca-generate=true"
-            - "--ca-validity-duration=94608000s"
-            - "--hubble-server-cert-generate=true"
-            - "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
-            - "--hubble-server-cert-validity-duration=94608000s"
-            - "--hubble-server-cert-secret-name=hubble-server-certs"
-            - "--hubble-relay-client-cert-generate=true"
-            - "--hubble-relay-client-cert-validity-duration=94608000s"
-            - "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
-            - "--hubble-relay-server-cert-generate=false"
+          {% for key, value in cilium_certgen_args.items() -%}
+            - "--{{ key }}={{ value }}"
+          {% endfor %}
+
      hostNetwork: true
      restartPolicy: OnFailure
  ttlSecondsAfterFinished: 1800
--- a/roles/network_plugin/cilium/templates/hubble/service.yml.j2
+++ b/roles/network_plugin/cilium/templates/hubble/service.yml.j2
@@ -58,7 +58,11 @@ spec:
    k8s-app: hubble-relay
  ports:
  - protocol: TCP
+    {% if cilium_hubble_tls_generate -%}
+    port: 443
+    {% else -%}
    port: 80
+    {% endif -%}
    targetPort: 4245
 ---
 # Source: cilium/templates/hubble-ui-service.yaml