The module is not enabled by default in any bundles.
The module will be left disabled unless cni-cilium
is used regardless of ciliumHubbleEnabled:
parameter.
The module is configured using the ModuleConfig custom resource named cilium-hubble
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/cilium-hubble
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cilium-hubble
spec:
version: 2
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 2
- auth
Options related to authentication or authorization in the Hubble web UI.
- auth.allowedUserGroups
An array of user groups that can access Hubble web UI.
This parameter is used if the
user-authn
module is enabled or theexternalAuthentication
parameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
- auth.externalAuthentication
Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.
External authentication is enabled automatically if the user-authn module is enabled.
- auth.externalAuthentication.authSignInURL
The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
Example:
authSignInURL: https://example.com/dex/sign_in
- auth.externalAuthentication.authURL
The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
Example:
authURL: https://example.com/dex/auth
- auth.whitelistSourceRanges
An array if CIDRs that are allowed to authenticate in Hubble web UI.
Example:
whitelistSourceRanges: - 1.1.1.1/32
- debugLogging
Enabled debug logging for Cilium Hubble component.
Default:
false
- https
What certificate type to use.
This parameter completely overrides the
global.modules.https
settings.Examples:
https: mode: Disabled
https: mode: OnlyInURI
https: mode: CustomCertificate customCertificate: secretName: foobar
https: mode: CertManager certManager: clusterIssuerName: letsencrypt
- https.certManager
Parameters for certmanager.
- https.certManager.clusterIssuerName
What ClusterIssuer to use for getting an SSL certificate (currently,
letsencrypt
,letsencrypt-staging
,selfsigned
are available; also, you can define your own).Default:
"letsencrypt"
Examples:
clusterIssuerName: letsencrypt
clusterIssuerName: letsencrypt-staging
clusterIssuerName: selfsigned
- https.customCertificate
Parameters for custom certificate usage.
- https.customCertificate.secretName
The name of the secret in the
d8-system
namespace to use with the Hubble web UI.This secret must have the kubernetes.io/tls format.
- https.mode
The HTTPS usage mode:
CertManager
— the web UI is accessed over HTTPS using a certificate obtained from a clusterIssuer specified in thecertManager.clusterIssuerName
parameter;CustomCertificate
— the web UI is accessed over HTTPS using a certificate from thed8-system
namespace;Disabled
— in this mode, the documentation web UI can only be accessed over HTTP;OnlyInURI
— the documentation web UI will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in theuser-authn
will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.
Default:
"CertManager"
Allowed values:
Disabled
,CertManager
,CustomCertificate
,OnlyInURI
- ingressClass
The class of the Ingress controller used for Hubble.
Optional. By default, the
modules.ingressClass
global value is used.Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- nodeSelector
The same as the
spec.nodeSelector
pod parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically. - tolerations
The same as
spec.tolerations
for the Kubernetes Pod.If the parameter is omitted or
false
, it will be determined automatically.- tolerations.effect
- tolerations.key
- tolerations.operator
- tolerations.tolerationSeconds
- tolerations.value
Authentication
user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.
Use kubectl to see password:
kubectl -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values cilium-hubble -o json | jq '.ciliumHubble.internal.auth.password'
Delete the Secret to re-generate password:
kubectl -n d8-cni-cilium delete secret/hubble-basic-auth
Note! The
auth.password
parameter is deprecated.