--- # Source: cilium/templates/hubble-relay-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: hubble-relay labels: k8s-app: hubble-relay namespace: kube-system spec: replicas: 1 selector: matchLabels: k8s-app: hubble-relay strategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: labels: k8s-app: hubble-relay spec: affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: "k8s-app" operator: In values: - cilium topologyKey: "kubernetes.io/hostname" containers: - name: hubble-relay image: "{{ cilium_hubble_relay_image_repo }}:{{ cilium_hubble_relay_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} command: - hubble-relay args: - serve ports: - name: grpc containerPort: 4245 readinessProbe: tcpSocket: port: grpc livenessProbe: tcpSocket: port: grpc volumeMounts: - mountPath: /var/run/cilium name: hubble-sock-dir readOnly: true - mountPath: /etc/hubble-relay name: config readOnly: true {% if cilium_hubble_tls_generate -%} - mountPath: /var/lib/hubble-relay/tls name: tls readOnly: true {%- endif %} restartPolicy: Always serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 0 volumes: - configMap: name: hubble-relay-config items: - key: config.yaml path: config.yaml name: config - hostPath: path: /var/run/cilium type: Directory name: hubble-sock-dir {% if cilium_hubble_tls_generate -%} - projected: sources: - secret: name: hubble-relay-client-certs items: - key: ca.crt path: hubble-server-ca.crt - key: tls.crt path: client.crt - key: tls.key path: client.key - secret: name: hubble-server-certs items: - key: tls.crt path: server.crt - key: tls.key path: server.key name: tls {%- endif %} --- # Source: cilium/templates/hubble-ui/deployment.yaml kind: Deployment apiVersion: apps/v1 metadata: namespace: kube-system labels: k8s-app: hubble-ui name: hubble-ui spec: replicas: 1 selector: matchLabels: k8s-app: hubble-ui template: metadata: annotations: labels: k8s-app: hubble-ui spec: securityContext: runAsUser: 1001 serviceAccount: hubble-ui serviceAccountName: hubble-ui containers: - name: frontend image: "{{ cilium_hubble_ui_image_repo }}:{{ cilium_hubble_ui_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} ports: - containerPort: 8081 name: http volumeMounts: - name: hubble-ui-nginx-conf mountPath: /etc/nginx/conf.d/default.conf subPath: nginx.conf - name: tmp-dir mountPath: /tmp resources: {} - name: backend image: "{{ cilium_hubble_ui_backend_image_repo }}:{{ cilium_hubble_ui_backend_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} env: - name: EVENTS_SERVER_PORT value: "8090" {% if cilium_hubble_tls_generate -%} - name: TLS_TO_RELAY_ENABLED value: "true" - name: FLOWS_API_ADDR value: "hubble-relay:443" - name: TLS_RELAY_SERVER_NAME value: ui.{{ cilium_cluster_name }}.hubble-grpc.cilium.io - name: TLS_RELAY_CA_CERT_FILES value: /var/lib/hubble-ui/certs/hubble-server-ca.crt - name: TLS_RELAY_CLIENT_CERT_FILE value: /var/lib/hubble-ui/certs/client.crt - name: TLS_RELAY_CLIENT_KEY_FILE value: /var/lib/hubble-ui/certs/client.key {% else -%} - name: FLOWS_API_ADDR value: "hubble-relay:80" {% endif %} volumeMounts: - name: tls mountPath: /var/lib/hubble-ui/certs readOnly: true ports: - containerPort: 8090 name: grpc resources: {} volumes: - configMap: defaultMode: 420 name: hubble-ui-nginx name: hubble-ui-nginx-conf - projected: sources: - secret: name: hubble-relay-client-certs items: - key: ca.crt path: hubble-server-ca.crt - key: tls.crt path: client.crt - key: tls.key path: client.key name: tls - emptyDir: {} name: tmp-dir