From a9f52060c9b549e074ed96ac0451bf20efe2fdf6 Mon Sep 17 00:00:00 2001 From: prashantchitta Date: Tue, 21 Mar 2023 12:50:12 -0700 Subject: [PATCH] Fix ciliums hubble relay configuration (#9876) * Fix ciliums hubble relay configuration * Fixed the tls from code review * Updated to dna_domain instead of hardcoding --- .../cilium/templates/hubble/config.yml.j2 | 13 +++--- .../cilium/templates/hubble/deploy.yml.j2 | 3 -- .../cilium/templates/hubble/service.yml.j2 | 40 +++++++++++++++++++ 3 files changed, 47 insertions(+), 9 deletions(-) diff --git a/roles/network_plugin/cilium/templates/hubble/config.yml.j2 b/roles/network_plugin/cilium/templates/hubble/config.yml.j2 index fd3e6b6fd..837f0c5b9 100644 --- a/roles/network_plugin/cilium/templates/hubble/config.yml.j2 +++ b/roles/network_plugin/cilium/templates/hubble/config.yml.j2 @@ -1,5 +1,5 @@ --- -# Source: cilium/templates/hubble-relay-configmap.yaml +# Source: cilium helm chart: cilium/templates/hubble-relay/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -7,12 +7,13 @@ metadata: namespace: kube-system data: config.yaml: | - peer-service: unix:///var/run/cilium/hubble.sock + peer-service: "hubble-peer.kube-system.svc.{{ dns_domain }}:443" listen-address: :4245 - dial-timeout: - retry-timeout: - sort-buffer-len-max: - sort-buffer-drain-timeout: + metrics-listen-address: ":9966" + dial-timeout: + retry-timeout: + sort-buffer-len-max: + sort-buffer-drain-timeout: tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt tls-client-key-file: /var/lib/hubble-relay/tls/client.key tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt diff --git a/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2 b/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2 index 27144193f..9f4b106af 100644 --- a/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2 +++ b/roles/network_plugin/cilium/templates/hubble/deploy.yml.j2 @@ -83,9 +83,6 @@ spec: path: client.crt - key: tls.key path: client.key - - configMap: - name: hubble-ca-cert - items: - key: ca.crt path: hubble-server-ca.crt name: tls diff --git a/roles/network_plugin/cilium/templates/hubble/service.yml.j2 b/roles/network_plugin/cilium/templates/hubble/service.yml.j2 index 56dba7631..e3e882d9d 100644 --- a/roles/network_plugin/cilium/templates/hubble/service.yml.j2 +++ b/roles/network_plugin/cilium/templates/hubble/service.yml.j2 @@ -21,6 +21,27 @@ spec: targetPort: hubble-metrics selector: k8s-app: cilium +--- +# Source: cilium/templates/hubble-relay/metrics-service.yaml +# We use a separate service from hubble-relay which can be exposed externally +kind: Service +apiVersion: v1 +metadata: + name: hubble-relay-metrics + namespace: kube-system + labels: + k8s-app: hubble-relay +spec: + clusterIP: None + type: ClusterIP + selector: + k8s-app: hubble-relay + ports: + - name: metrics + port: 9966 + protocol: TCP + targetPort: prometheus + {% endif %} --- # Source: cilium/templates/hubble-relay-service.yaml @@ -56,3 +77,22 @@ spec: port: 80 targetPort: 8081 type: ClusterIP +--- +# Source: cilium/templates/hubble/peer-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: hubble-peer + namespace: kube-system + labels: + k8s-app: cilium +spec: + selector: + k8s-app: cilium + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + internalTrafficPolicy: Local +