Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cilium] fix rbac and upgrade hubble v0.11.0 (#3) #9959

Merged
merged 2 commits into from
Apr 10, 2023
Merged

[cilium] fix rbac and upgrade hubble v0.11.0 (#3) #9959

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2429fac
[cilium] fix rbac and upgrade hubble v0.11.0 (#3)
jeremythuon Apr 4, 2023
ec7e872
Fix blank line
jeremythuon Apr 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions roles/download/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1031,9 +1031,9 @@ cilium_hubble_relay_image_tag: "{{ cilium_version }}"
cilium_hubble_certgen_image_repo: "{{ quay_image_repo }}/cilium/certgen"
cilium_hubble_certgen_image_tag: "v0.1.8"
cilium_hubble_ui_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui"
cilium_hubble_ui_image_tag: "v0.9.2"
cilium_hubble_ui_image_tag: "v0.11.0"
cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-backend"
cilium_hubble_ui_backend_image_tag: "v0.9.2"
cilium_hubble_ui_backend_image_tag: "v0.11.0"
cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
cilium_hubble_envoy_image_tag: "v1.22.5"
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
Expand Down
17 changes: 17 additions & 0 deletions roles/network_plugin/cilium/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,3 +273,20 @@ cilium_rolling_restart_wait_retries_delay_seconds: 10
cilium_agent_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9962', '9090') }}"
cilium_operator_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9963', '6942') }}"
cilium_hubble_scrape_port: "{{ cilium_version | regex_replace('v') is version('1.12', '>=') | ternary('9965', '9091') }}"

# Cilium certgen args for generate certificate for hubble mTLS
cilium_certgen_args:
cilium-namespace: kube-system
ca-reuse-secret: true
ca-secret-name: hubble-ca-secret
ca-generate: true
ca-validity-duration: 94608000s
hubble-server-cert-generate: true
hubble-server-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
hubble-server-cert-validity-duration: 94608000s
hubble-server-cert-secret-name: hubble-server-certs
hubble-relay-client-cert-generate: true
hubble-relay-client-cert-common-name: '*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io'
hubble-relay-client-cert-validity-duration: 94608000s
hubble-relay-client-cert-secret-name: hubble-relay-client-certs
hubble-relay-server-cert-generate: false
3 changes: 3 additions & 0 deletions roles/network_plugin/cilium/templates/cilium-operator/cr.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ rules:
- services/status
verbs:
- update
- patch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -92,6 +93,8 @@ rules:
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools
- ciliumloadbalancerippools
- ciliumloadbalancerippools/status
- ciliumbgppeeringpolicies
- ciliumenvoyconfigs
{% endif %}
Expand Down
17 changes: 4 additions & 13 deletions roles/network_plugin/cilium/templates/hubble/cronjob.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,19 +29,10 @@ spec:
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- "--cilium-namespace=kube-system"
- "--ca-reuse-secret=true"
- "--ca-secret-name=hubble-ca-secret"
- "--ca-generate=true"
- "--ca-validity-duration=94608000s"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
{% for key, value in cilium_certgen_args.items() -%}
- "--{{ key }}={{ value }}"
{% endfor %}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

smart way to reduce duplicated configurations :-)


hostNetwork: true
restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800
32 changes: 32 additions & 0 deletions roles/network_plugin/cilium/templates/hubble/deploy.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,28 @@ spec:
env:
- name: EVENTS_SERVER_PORT
value: "8090"
{% if cilium_hubble_tls_generate -%}
- name: TLS_TO_RELAY_ENABLED
value: "true"
- name: FLOWS_API_ADDR
value: "hubble-relay:443"
- name: TLS_RELAY_SERVER_NAME
value: ui.{{ cilium_cluster_name }}.hubble-grpc.cilium.io
- name: TLS_RELAY_CA_CERT_FILES
value: /var/lib/hubble-ui/certs/hubble-server-ca.crt
- name: TLS_RELAY_CLIENT_CERT_FILE
value: /var/lib/hubble-ui/certs/client.crt
- name: TLS_RELAY_CLIENT_KEY_FILE
value: /var/lib/hubble-ui/certs/client.key
{% else -%}
- name: FLOWS_API_ADDR
value: "hubble-relay:80"
{% endif %}

volumeMounts:
- name: tls
mountPath: /var/lib/hubble-ui/certs
readOnly: true
ports:
- containerPort: 8090
name: grpc
Expand All @@ -150,5 +170,17 @@ spec:
defaultMode: 420
name: hubble-ui-nginx
name: hubble-ui-nginx-conf
- projected:
sources:
- secret:
name: hubble-relay-client-certs
items:
- key: ca.crt
path: hubble-server-ca.crt
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
name: tls
- emptyDir: {}
name: tmp-dir
17 changes: 4 additions & 13 deletions roles/network_plugin/cilium/templates/hubble/job.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,19 +25,10 @@ spec:
# line args instead of via config map. This allows users to inspect
# the values used in past runs by inspecting the completed pod.
args:
- "--cilium-namespace=kube-system"
- "--ca-reuse-secret=true"
- "--ca-secret-name=hubble-ca-secret"
- "--ca-generate=true"
- "--ca-validity-duration=94608000s"
- "--hubble-server-cert-generate=true"
- "--hubble-server-cert-common-name=*.{{ cilium_cluster_name }}.hubble-grpc.cilium.io"
- "--hubble-server-cert-validity-duration=94608000s"
- "--hubble-server-cert-secret-name=hubble-server-certs"
- "--hubble-relay-client-cert-generate=true"
- "--hubble-relay-client-cert-validity-duration=94608000s"
- "--hubble-relay-client-cert-secret-name=hubble-relay-client-certs"
- "--hubble-relay-server-cert-generate=false"
{% for key, value in cilium_certgen_args.items() -%}
- "--{{ key }}={{ value }}"
{% endfor %}

hostNetwork: true
restartPolicy: OnFailure
ttlSecondsAfterFinished: 1800
4 changes: 4 additions & 0 deletions roles/network_plugin/cilium/templates/hubble/service.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,11 @@ spec:
k8s-app: hubble-relay
ports:
- protocol: TCP
{% if cilium_hubble_tls_generate -%}
port: 443
{% else -%}
port: 80
{% endif -%}
targetPort: 4245
---
# Source: cilium/templates/hubble-ui-service.yaml
Expand Down