* [cilium] fix rbac and upgrade hubble v0.11.0 (#3) * [cilium] fix rbac for LB bgp ipam * [cilium] Upgrade Hubble to v0.11.0 and add mTLS between Hubble UI and Hubble Relay * fix dns domain hubble for tls --------- Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr> * Fix blank line --------- Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr>pull/9970/head
jeremy-thuon
GitHub
parent
fcb5e77338
commit
4a03d13d08
|
|
@ -1038,9 +1038,9 @@ cilium_hubble_relay_image_tag: "{{ cilium_version }}"
|
||||||
cilium_hubble_certgen_image_repo: "{{ quay_image_repo }}/cilium/certgen"
|
cilium_hubble_certgen_image_repo: "{{ quay_image_repo }}/cilium/certgen"
|
||||||
cilium_hubble_certgen_image_tag: "v0.1.8"
|
cilium_hubble_certgen_image_tag: "v0.1.8"
|
||||||
cilium_hubble_ui_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui"
|
cilium_hubble_ui_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui"
|
||||||
cilium_hubble_ui_image_tag: "v0.9.2"
|
cilium_hubble_ui_image_tag: "v0.11.0"
|
||||||
cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
|
cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
|
||||||
cilium_hubble_ui_backend_image_tag: "v0.9.2"
|
cilium_hubble_ui_backend_image_tag: "v0.11.0"
|
||||||
cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
|
cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
|
||||||
cilium_hubble_envoy_image_tag: "v1.22.5"
|
cilium_hubble_envoy_image_tag: "v1.22.5"
|
||||||
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
|
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
|
||||||
|
|
|
||||||
|
|
@ -273,3 +273,20 @@ cilium_rolling_restart_wait_retries_delay_seconds: 10
|
||||||
cilium_agent_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9962', '9090') }}"
|
cilium_agent_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9962', '9090') }}"
|
||||||
cilium_operator_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9963', '6942') }}"
|
cilium_operator_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9963', '6942') }}"
|
||||||
cilium_hubble_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9965', '9091') }}"
|
cilium_hubble_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9965', '9091') }}"
|
||||||
|
|
||||||
|
# Cilium certgen args for generate certificate for hubble mTLS
|
||||||
|
cilium_certgen_args:
|
||||||
|
cilium-namespace: kube-system
|
||||||
|
ca-reuse-secret: true
|
||||||
|
ca-secret-name: hubble-ca-secret
|
||||||
|
ca-generate: true
|
||||||
|
ca-validity-duration: 94608000s
|
||||||
|
hubble-server-cert-generate: true
|
||||||
|
hubble-server-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
|
||||||
|
hubble-server-cert-validity-duration: 94608000s
|
||||||
|
hubble-server-cert-secret-name: hubble-server-certs
|
||||||
|
hubble-relay-client-cert-generate: true
|
||||||
|
hubble-relay-client-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
|
||||||
|
hubble-relay-client-cert-validity-duration: 94608000s
|
||||||
|
hubble-relay-client-cert-secret-name: hubble-relay-client-certs
|
||||||
|
hubble-relay-server-cert-generate: false
|
||||||
|
|
|
||||||
|
|
@ -54,6 +54,7 @@ rules:
|
||||||
- services/status
|
- services/status
|
||||||
verbs:
|
verbs:
|
||||||
- update
|
- update
|
||||||
|
- patch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
|
|
@ -92,6 +93,8 @@ rules:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
|
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
|
||||||
- ciliumbgploadbalancerippools
|
- ciliumbgploadbalancerippools
|
||||||
|
- ciliumloadbalancerippools
|
||||||
|
- ciliumloadbalancerippools/status
|
||||||
- ciliumbgppeeringpolicies
|
- ciliumbgppeeringpolicies
|
||||||
- ciliumenvoyconfigs
|
- ciliumenvoyconfigs
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
||||||
|
|
@ -29,19 +29,10 @@ spec:
|
||||||
# line args instead of via config map. This allows users to inspect
|
# line args instead of via config map. This allows users to inspect
|
||||||
# the values used in past runs by inspecting the completed pod.
|
# the values used in past runs by inspecting the completed pod.
|
||||||
args:
|
args:
|
||||||
- "--cilium-namespace=kube-system"
|
{% for key, value in cilium_certgen_args.items() -%}
|
||||||
- "--ca-reuse-secret=true"
|
- "--{{ key }}={{ value }}"
|
||||||
- "--ca-secret-name=hubble-ca-secret"
|
{% endfor %}
|
||||||
- "--ca-generate=true"
|
|
||||||
- "--ca-validity-duration=94608000s"
|
|
||||||
- "--hubble-server-cert-generate=true"
|
|
||||||
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
|
|
||||||
- "--hubble-server-cert-validity-duration=94608000s"
|
|
||||||
- "--hubble-server-cert-secret-name=hubble-server-certs"
|
|
||||||
- "--hubble-relay-client-cert-generate=true"
|
|
||||||
- "--hubble-relay-client-cert-validity-duration=94608000s"
|
|
||||||
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
|
|
||||||
- "--hubble-relay-server-cert-generate=false"
|
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
ttlSecondsAfterFinished: 1800
|
ttlSecondsAfterFinished: 1800
|
||||||
|
|
|
||||||
|
|
@ -138,8 +138,28 @@ spec:
|
||||||
env:
|
env:
|
||||||
- name: EVENTS_SERVER_PORT
|
- name: EVENTS_SERVER_PORT
|
||||||
value: "8090"
|
value: "8090"
|
||||||
|
{% if cilium_hubble_tls_generate -%}
|
||||||
|
- name: TLS_TO_RELAY_ENABLED
|
||||||
|
value: "true"
|
||||||
|
- name: FLOWS_API_ADDR
|
||||||
|
value: "hubble-relay:443"
|
||||||
|
- name: TLS_RELAY_SERVER_NAME
|
||||||
|
value: ui.{{ cilium_cluster_name }}.hubble-grpc.cilium.io
|
||||||
|
- name: TLS_RELAY_CA_CERT_FILES
|
||||||
|
value: /var/lib/hubble-ui/certs/hubble-server-ca.crt
|
||||||
|
- name: TLS_RELAY_CLIENT_CERT_FILE
|
||||||
|
value: /var/lib/hubble-ui/certs/client.crt
|
||||||
|
- name: TLS_RELAY_CLIENT_KEY_FILE
|
||||||
|
value: /var/lib/hubble-ui/certs/client.key
|
||||||
|
{% else -%}
|
||||||
- name: FLOWS_API_ADDR
|
- name: FLOWS_API_ADDR
|
||||||
value: "hubble-relay:80"
|
value: "hubble-relay:80"
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
volumeMounts:
|
||||||
|
- name: tls
|
||||||
|
mountPath: /var/lib/hubble-ui/certs
|
||||||
|
readOnly: true
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8090
|
- containerPort: 8090
|
||||||
name: grpc
|
name: grpc
|
||||||
|
|
@ -150,5 +170,17 @@ spec:
|
||||||
defaultMode: 420
|
defaultMode: 420
|
||||||
name: hubble-ui-nginx
|
name: hubble-ui-nginx
|
||||||
name: hubble-ui-nginx-conf
|
name: hubble-ui-nginx-conf
|
||||||
|
- projected:
|
||||||
|
sources:
|
||||||
|
- secret:
|
||||||
|
name: hubble-relay-client-certs
|
||||||
|
items:
|
||||||
|
- key: ca.crt
|
||||||
|
path: hubble-server-ca.crt
|
||||||
|
- key: tls.crt
|
||||||
|
path: client.crt
|
||||||
|
- key: tls.key
|
||||||
|
path: client.key
|
||||||
|
name: tls
|
||||||
- emptyDir: {}
|
- emptyDir: {}
|
||||||
name: tmp-dir
|
name: tmp-dir
|
||||||
|
|
|
||||||
|
|
@ -25,19 +25,10 @@ spec:
|
||||||
# line args instead of via config map. This allows users to inspect
|
# line args instead of via config map. This allows users to inspect
|
||||||
# the values used in past runs by inspecting the completed pod.
|
# the values used in past runs by inspecting the completed pod.
|
||||||
args:
|
args:
|
||||||
- "--cilium-namespace=kube-system"
|
{% for key, value in cilium_certgen_args.items() -%}
|
||||||
- "--ca-reuse-secret=true"
|
- "--{{ key }}={{ value }}"
|
||||||
- "--ca-secret-name=hubble-ca-secret"
|
{% endfor %}
|
||||||
- "--ca-generate=true"
|
|
||||||
- "--ca-validity-duration=94608000s"
|
|
||||||
- "--hubble-server-cert-generate=true"
|
|
||||||
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
|
|
||||||
- "--hubble-server-cert-validity-duration=94608000s"
|
|
||||||
- "--hubble-server-cert-secret-name=hubble-server-certs"
|
|
||||||
- "--hubble-relay-client-cert-generate=true"
|
|
||||||
- "--hubble-relay-client-cert-validity-duration=94608000s"
|
|
||||||
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
|
|
||||||
- "--hubble-relay-server-cert-generate=false"
|
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
ttlSecondsAfterFinished: 1800
|
ttlSecondsAfterFinished: 1800
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,11 @@ spec:
|
||||||
k8s-app: hubble-relay
|
k8s-app: hubble-relay
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
|
{% if cilium_hubble_tls_generate -%}
|
||||||
|
port: 443
|
||||||
|
{% else -%}
|
||||||
port: 80
|
port: 80
|
||||||
|
{% endif -%}
|
||||||
targetPort: 4245
|
targetPort: 4245
|
||||||
---
|
---
|
||||||
# Source: cilium/templates/hubble-ui-service.yaml
|
# Source: cilium/templates/hubble-ui-service.yaml
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue