The cilium-hubble module: configuration

Schema version: 2

• authobject

  Options related to authentication or authorization in the Hubble web UI.

  • auth.allowedUserGroupsarray of strings

    An array of user groups that can access Hubble web UI.

    This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

    Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

  • auth.externalAuthenticationobject

    Parameters to enable external authentication based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module.

    External authentication is enabled automatically if the user-authn module is enabled.

    • auth.externalAuthentication.authSignInURLstring

      The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

      Example:

      authSignInURL: https://example.com/dex/sign_in
      

    • auth.externalAuthentication.authURLstring

      The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

      Example:

      authURL: https://example.com/dex/auth
      

  • auth.whitelistSourceRangesarray of strings

    An array if CIDRs that are allowed to authenticate in Hubble web UI.

    Example:

    whitelistSourceRanges:
    - 1.1.1.1/32
    

• debugLoggingboolean

  Enabled debug logging for Cilium Hubble component.

  Default: false

• httpsobject

  What certificate type to use.

  This parameter completely overrides the global.modules.https settings.

  Examples:

  https:
    mode: Disabled
  

  https:
    mode: OnlyInURI
  

  https:
    mode: CustomCertificate
    customCertificate:
      secretName: foobar
  

  https:
    mode: CertManager
    certManager:
      clusterIssuerName: letsencrypt
  

  • https.certManagerobject

    Parameters for certmanager.

    • https.certManager.clusterIssuerNamestring

      What ClusterIssuer to use for getting an SSL certificate (currently, letsencrypt, letsencrypt-staging, selfsigned are available; also, you can define your own).

      Default: "letsencrypt"

      Examples:

      clusterIssuerName: letsencrypt
      

      clusterIssuerName: letsencrypt-staging
      

      clusterIssuerName: selfsigned
      

  • https.customCertificateobject

    Parameters for custom certificate usage.

    • https.customCertificate.secretNamestring

      The name of the secret in the d8-system namespace to use with the Hubble web UI.

      This secret must have the kubernetes.io/tls format.

  • https.modestring

    The HTTPS usage mode:

    • CertManager — the web UI is accessed over HTTPS using a certificate obtained from a clusterIssuer specified in the certManager.clusterIssuerName parameter;
    • CustomCertificate — the web UI is accessed over HTTPS using a certificate from the d8-system namespace;
    • Disabled — in this mode, the documentation web UI can only be accessed over HTTP;
    • OnlyInURI — the documentation web UI will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

    Default: "CertManager"

    Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

• nodeSelectorobject

  The same as the spec.nodeSelector pod parameter in Kubernetes.

  If the parameter is omitted or false, it will be determined automatically.

• tolerationsarray of objects

  The same as spec.tolerations for the Kubernetes Pod.

  If the parameter is omitted or false, it will be determined automatically.

  • tolerations.effectstring
  • tolerations.keystring
  • tolerations.operatorstring
  • tolerations.tolerationSecondsinteger
  • tolerations.valuestring