Available in editions:  CE, BE, SE, SE+, EE

The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/cilium-hubble resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cilium-hubble
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable cilium-hubble

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cilium-hubble
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable cilium-hubble

If the cni-cilium module is disabled, the ciliumHubbleEnabled: parameter will not affect the enabling of the cilium-hubble module.

Conversions

The module is configured using the ModuleConfig resource, the schema of which contains a version number. When you apply an old version of the ModuleConfig schema in a cluster, automatic transformations are performed. To manually update the ModuleConfig schema version, the following steps must be completed sequentially for each version :

Settings

The module is configured using the ModuleConfig custom resource named cilium-hubble (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cilium-hubble resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cilium-hubble
spec:
  version: 2
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 2

  • settings
    object
    • settings.auth
      object

      Options related to authentication or authorization in the Hubble web UI.

      • settings.auth.allowedUserEmails
        array of strings

        An array of emails of users that can access module’s public web interfaces.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      • settings.auth.allowedUserGroups
        array of strings

        An array of user groups that can access Hubble web UI.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

        Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

      • settings.auth.externalAuthentication
        object

        Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.

        External authentication is enabled automatically if the user-authn module is enabled.

        • settings.auth.externalAuthentication.authSignInURL
          string

          The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

          Example:

          authSignInURL: https://example.com/dex/sign_in
        • settings.auth.externalAuthentication.authURL
          string

          The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

          Example:

          authURL: https://example.com/dex/auth
      • settings.auth.whitelistSourceRanges
        array of strings

        An array if CIDRs that are allowed to authenticate in Hubble web UI.

        Example:

        whitelistSourceRanges:
- 1.1.1.1/32
    • settings.debugLogging
      boolean

      Enabled debug logging for Cilium Hubble component.

      Default: false

    • settings.https
      object

      What certificate type to use.

      This parameter completely overrides the global.modules.https settings.

      Examples:

      https:
  mode: Disabled

      https:
  mode: OnlyInURI

      https:
  mode: CustomCertificate
  customCertificate:
    secretName: foobar

      https:
  mode: CertManager
  certManager:
    clusterIssuerName: letsencrypt
      • settings.https.certManager
        object

        Parameters for certmanager.

        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for getting an SSL certificate (currently, letsencrypt, letsencrypt-staging, selfsigned are available; also, you can define your own).

          Default: letsencrypt

          Examples:

          clusterIssuerName: letsencrypt

          clusterIssuerName: letsencrypt-staging

          clusterIssuerName: selfsigned
      • settings.https.customCertificate
        object

        Parameters for custom certificate usage.

        • settings.https.customCertificate.secretName
          string

          The name of the secret in the d8-system namespace to use with the Hubble web UI.

          This secret must have the kubernetes.io/tls format.

      • settings.https.mode
        string

        The HTTPS usage mode:

        • CertManager — the web UI is accessed over HTTPS using a certificate obtained from a clusterIssuer specified in the certManager.clusterIssuerName parameter;
        • CustomCertificate — the web UI is accessed over HTTPS using a certificate from the d8-system namespace;
        • Disabled — in this mode, the documentation web UI can only be accessed over HTTP;
        • OnlyInURI — the documentation web UI will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.

        Default: CertManager

        Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

    • settings.ingressClass
      string

      The class of the Ingress controller used for Hubble.

      Optional. By default, the modules.ingressClass global value is used.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • settings.nodeSelector
      object

      The same as the spec.nodeSelector pod parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

    • settings.tolerations
      array of objects

      The same as spec.tolerations for the Kubernetes Pod.

      If the parameter is omitted or false, it will be determined automatically.

      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string

Authentication

user-authn module provides authentication by default. Also, externalAuthentication can be configured. If these options are disabled, the module will use basic auth with the auto-generated password.

To view the generated password, run the command:

d8 k -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values cilium-hubble -o json | jq '.ciliumHubble.internal.auth.password'

To generate a new password, delete the Secret:

d8 k -n d8-cni-cilium delete secret/hubble-basic-auth

The auth.password parameter is deprecated.