Available in editions: CE, BE, SE, SE+, EE
The module lifecycle stage: General Availability
The module is not enabled by default in any bundles.
If the cni-cilium module is disabled, the ciliumHubbleEnabled: parameter will not affect the enabling of the cilium-hubble module.
How to explicitly enable the module…
You may explicitly enable or disable the module in one of the following ways:
-
Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the
cilium-hubblemodule and enable (or disable) the “Module enabled” toggle. Save changes.Example:
-
Via Deckhouse CLI (d8).
Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).
Example of enabling the module:
d8 system module enable cilium-hubble -
Using ModuleConfig
cilium-hubble.Set
spec.enabledtotrueorfalsein ModuleConfigcilium-hubble(create it if necessary);Example of a manifest to enable module
cilium-hubble:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: cilium-hubble spec: enabled: true
You can configure the module in one of the following ways:
-
Via Deckhouse web UI.
In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the
cilium-hubblemodule and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.Example:
You can also edit the ModuleConfig object
cilium-hubbleon the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the modulecilium-hubble) by specifying the schema version in thespec.versionparameter and the necessary module parameters in thespec.settingssection. -
Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).
Edit the existing ModuleConfig
cilium-hubble(for more details on configuring Deckhouse, see the documentation) by executing the following command:d8 k edit mc cilium-hubbleMake the necessary changes in the
spec.settingssection. If necessary, specify the schema version in thespec.versionparameter. Save the changes.You can also create a file with manifest for ModuleConfig
cilium-hubbleusing the example below. Fill in thespec.settingssection with the required module parameters. If necessary, specify the schema version in thespec.versionparameter.Apply the manifest using the following command (indicate the manifest file name):
d8 k apply -f <FILENAME>Example of a manifest for ModuleConfig
cilium-hubble:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: cilium-hubble spec: version: 2 enabled: true settings: # Module parameters from the "Parameters" section below.
Requirements
To the versions of other modules:
-
cni-cilium: any version.
Conversions
The module is configured using the ModuleConfig resource, the schema of which contains a version number. When you apply an old version of the ModuleConfig schema in a cluster, automatic transformations are performed. To manually update the ModuleConfig schema version, the following steps must be completed sequentially for each version :
- Updates from version 1 to 2:
Conversion description is missing.
Parameters
Schema version: 2
- objectsettings
- objectsettings.auth
Options related to authentication or authorization in the Hubble web UI.
- array of stringssettings.auth.allowedUserEmails
An array of emails of users that can access module’s public web interfaces.
This parameter is used if the
user-authnmodule is enabled or theexternalAuthenticationparameter is set. - array of stringssettings.auth.allowedUserGroups
An array of user groups that can access Hubble web UI.
This parameter is used if the
user-authnmodule is enabled or theexternalAuthenticationparameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
- objectsettings.auth.externalAuthentication
Parameters to enable external authentication based on the Ingress NGINX external-auth mechanism that uses the Nginx auth_request module.
External authentication is enabled automatically if the user-authn module is enabled.
- stringsettings.auth.externalAuthentication.authSignInURL
The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
Example:
authSignInURL: https://example.com/dex/sign_in - stringsettings.auth.externalAuthentication.authURL
The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
Example:
authURL: https://example.com/dex/auth
- array of stringssettings.auth.whitelistSourceRanges
An array if CIDRs that are allowed to authenticate in Hubble web UI.
Example:
whitelistSourceRanges: - 1.1.1.1/32
- booleansettings.debugLogging
Enabled debug logging for Cilium Hubble component.
Default:
false - objectsettings.https
What certificate type to use.
This parameter completely overrides the
global.modules.httpssettings.Examples:
https: mode: Disabledhttps: mode: OnlyInURIhttps: mode: CustomCertificate customCertificate: secretName: foobarhttps: mode: CertManager certManager: clusterIssuerName: letsencrypt- objectsettings.https.certManager
Parameters for certmanager.
- stringsettings.https.certManager.clusterIssuerName
What ClusterIssuer to use for getting an SSL certificate (currently,
letsencrypt,letsencrypt-staging,selfsignedare available; also, you can define your own).Default:
letsencryptExamples:
clusterIssuerName: letsencryptclusterIssuerName: letsencrypt-stagingclusterIssuerName: selfsigned
- objectsettings.https.customCertificate
Parameters for custom certificate usage.
- stringsettings.https.customCertificate.secretName
The name of the secret in the
d8-systemnamespace to use with the Hubble web UI.This secret must have the kubernetes.io/tls format.
- stringsettings.https.mode
The HTTPS usage mode:
CertManager— the web UI is accessed over HTTPS using a certificate obtained from a clusterIssuer specified in thecertManager.clusterIssuerNameparameter;CustomCertificate— the web UI is accessed over HTTPS using a certificate from thed8-systemnamespace;Disabled— in this mode, the documentation web UI can only be accessed over HTTP;OnlyInURI— the documentation web UI will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in theuser-authnwill be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.
Default:
CertManagerAllowed values:
Disabled,CertManager,CustomCertificate,OnlyInURI
- stringsettings.ingressClass
The class of the Ingress controller used for Hubble.
Optional. By default, the
modules.ingressClassglobal value is used.Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - objectsettings.nodeSelector
The same as the
spec.nodeSelectorpod parameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically. - array of objectssettings.tolerations
The same as
spec.tolerationsfor the Kubernetes Pod.If the parameter is omitted or
false, it will be determined automatically.- stringsettings.tolerations.effect
- stringsettings.tolerations.key
- stringsettings.tolerations.operator
- integersettings.tolerations.tolerationSeconds
- stringsettings.tolerations.value
Authentication
user-authn module provides authentication by default. Also, externalAuthentication can be configured. If these options are disabled, the module will use basic auth with the auto-generated password.
To view the generated password, run the command:
d8 k -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values cilium-hubble -o json | jq '.ciliumHubble.internal.auth.password'
To generate a new password, delete the Secret:
d8 k -n d8-cni-cilium delete secret/hubble-basic-auth
The auth.password parameter is deprecated.