[cilium] fix rbac and upgrade hubble v0.11.0 (#3) (#9959)

* [cilium] fix rbac and upgrade hubble v0.11.0 (#3)

* [cilium] fix rbac for LB bgp ipam

* [cilium] Upgrade Hubble to v0.11.0 and add mTLS between Hubble UI and Hubble Relay

* fix dns domain hubble for tls

---------

Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr>

* Fix blank line

---------

Co-authored-by: Thuon Jeremy <d107869@olinfra1.infra.bdm.outscale.c1.dav.fr>
pull/9970/head
jeremy-thuon 2023-04-10 07:07:15 +02:00 committed by GitHub
parent fcb5e77338
commit 4a03d13d08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 66 additions and 28 deletions

View File

@ -1038,9 +1038,9 @@ cilium_hubble_relay_image_tag: "{{ cilium_version }}"
cilium_hubble_certgen_image_repo: "{{ quay_image_repo }}/cilium/certgen" cilium_hubble_certgen_image_repo: "{{ quay_image_repo }}/cilium/certgen"
cilium_hubble_certgen_image_tag: "v0.1.8" cilium_hubble_certgen_image_tag: "v0.1.8"
cilium_hubble_ui_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui" cilium_hubble_ui_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui"
cilium_hubble_ui_image_tag: "v0.9.2" cilium_hubble_ui_image_tag: "v0.11.0"
cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend" cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
cilium_hubble_ui_backend_image_tag: "v0.9.2" cilium_hubble_ui_backend_image_tag: "v0.11.0"
cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy" cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
cilium_hubble_envoy_image_tag: "v1.22.5" cilium_hubble_envoy_image_tag: "v1.22.5"
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn" kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"

View File

@ -273,3 +273,20 @@ cilium_rolling_restart_wait_retries_delay_seconds: 10
cilium_agent_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9962', '9090') }}" cilium_agent_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9962', '9090') }}"
cilium_operator_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9963', '6942') }}" cilium_operator_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9963', '6942') }}"
cilium_hubble_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9965', '9091') }}" cilium_hubble_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9965', '9091') }}"
# Cilium certgen args for generate certificate for hubble mTLS
cilium_certgen_args:
cilium-namespace: kube-system
ca-reuse-secret: true
ca-secret-name: hubble-ca-secret
ca-generate: true
ca-validity-duration: 94608000s
hubble-server-cert-generate: true
hubble-server-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
hubble-server-cert-validity-duration: 94608000s
hubble-server-cert-secret-name: hubble-server-certs
hubble-relay-client-cert-generate: true
hubble-relay-client-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
hubble-relay-client-cert-validity-duration: 94608000s
hubble-relay-client-cert-secret-name: hubble-relay-client-certs
hubble-relay-server-cert-generate: false

View File

@ -54,6 +54,7 @@ rules:
- services/status - services/status
verbs: verbs:
- update - update
- patch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -92,6 +93,8 @@ rules:
{% endif %} {% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %} {% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools - ciliumbgploadbalancerippools
- ciliumloadbalancerippools
- ciliumloadbalancerippools/status
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumenvoyconfigs - ciliumenvoyconfigs
{% endif %} {% endif %}

View File

@ -29,19 +29,10 @@ spec:
# line args instead of via config map. This allows users to inspect # line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod. # the values used in past runs by inspecting the completed pod.
args: args:
- "--cilium-namespace=kube-system" {% for key, value in cilium_certgen_args.items() -%}
- "--ca-reuse-secret=true" - "--{{ key }}={{ value }}"
- "--ca-secret-name=hubble-ca-secret" {% endfor %}
- "--ca-generate=true"
- "--ca-validity-duration=94608000s"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
hostNetwork: true hostNetwork: true
restartPolicy: OnFailure restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800 ttlSecondsAfterFinished: 1800

View File

@ -138,8 +138,28 @@ spec:
env: env:
- name: EVENTS_SERVER_PORT - name: EVENTS_SERVER_PORT
value: "8090" value: "8090"
{% if cilium_hubble_tls_generate -%}
- name: TLS_TO_RELAY_ENABLED
value: "true"
- name: FLOWS_API_ADDR
value: "hubble-relay:443"
- name: TLS_RELAY_SERVER_NAME
value: ui.{{ cilium_cluster_name }}.hubble-grpc.cilium.io
- name: TLS_RELAY_CA_CERT_FILES
value: /var/lib/hubble-ui/certs/hubble-server-ca.crt
- name: TLS_RELAY_CLIENT_CERT_FILE
value: /var/lib/hubble-ui/certs/client.crt
- name: TLS_RELAY_CLIENT_KEY_FILE
value: /var/lib/hubble-ui/certs/client.key
{% else -%}
- name: FLOWS_API_ADDR - name: FLOWS_API_ADDR
value: "hubble-relay:80" value: "hubble-relay:80"
{% endif %}
volumeMounts:
- name: tls
mountPath: /var/lib/hubble-ui/certs
readOnly: true
ports: ports:
- containerPort: 8090 - containerPort: 8090
name: grpc name: grpc
@ -150,5 +170,17 @@ spec:
defaultMode: 420 defaultMode: 420
name: hubble-ui-nginx name: hubble-ui-nginx
name: hubble-ui-nginx-conf name: hubble-ui-nginx-conf
- projected:
sources:
- secret:
name: hubble-relay-client-certs
items:
- key: ca.crt
path: hubble-server-ca.crt
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
name: tls
- emptyDir: {} - emptyDir: {}
name: tmp-dir name: tmp-dir

View File

@ -25,19 +25,10 @@ spec:
# line args instead of via config map. This allows users to inspect # line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod. # the values used in past runs by inspecting the completed pod.
args: args:
- "--cilium-namespace=kube-system" {% for key, value in cilium_certgen_args.items() -%}
- "--ca-reuse-secret=true" - "--{{ key }}={{ value }}"
- "--ca-secret-name=hubble-ca-secret" {% endfor %}
- "--ca-generate=true"
- "--ca-validity-duration=94608000s"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
hostNetwork: true hostNetwork: true
restartPolicy: OnFailure restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800 ttlSecondsAfterFinished: 1800

View File

@ -58,7 +58,11 @@ spec:
k8s-app: hubble-relay k8s-app: hubble-relay
ports: ports:
- protocol: TCP - protocol: TCP
{% if cilium_hubble_tls_generate -%}
port: 443
{% else -%}
port: 80 port: 80
{% endif -%}
targetPort: 4245 targetPort: 4245
--- ---
# Source: cilium/templates/hubble-ui-service.yaml # Source: cilium/templates/hubble-ui-service.yaml