Expose hubble agent when hubble is enabled

[olemarkus]

/kind bug

[johngmyers]

I'm not a big fan of exposing things without TLS.

[olemarkus]

Nor do I. But it is a choice of this staying broken in 1.20 or having the feature, but no tls. For 1.21 this will hopefully be fixed

[johngmyers]

I would prefer not having the feature. There is nothing as permanent as a temporary shortcut.

[olemarkus]

So you suggest blocking hubble from being enabled through validation? The flag is already there, so we cannot remove this altogether.

[olemarkus]

I'll implement serving TLS, but mTLS will be more tricky as kops-controller doesn't have any way of provisioning certs to Deployments.

[johngmyers]

You could have kops provision a Keypair and then render it to a Secret using a template function.

[johngmyers]

...ah, that would make the addons manifest secret. We've had a conversation like this before. Perhaps an auxiliary manifest-like thing which provisions secrets from the keystore.

[johngmyers]

By the way, kops-controller certs have lifetimes that are tied to nodes. Deployments would need a different lifetime and renewal mechanism. This is why people tend to use JWT over mTLS--Kubernetes has the infrastructure for the former.

[olemarkus]

Turns out cilium starts normal operations, then wait for the availability of the certificate. So there really isn't any chicken/egg issue here wrt cert-manager.

I have deployed addon PKI + 3 certs (hubble server cert, relay client cert, relay server cert) and tried to get them to work, but something in the mTLS setup is failing. It works when I connect with hubble CLI using the same certs and flags that hubble-relay is supposed to have.

[olemarkus]

My problems were caused by our addon CAs only setting common name. This PR contains a workaround now, but we need to resolve the CA certificate problem later on.

[codablock]

Shouldn't this be v1 already?

[olemarkus]

ouch yes. not sure how v1alpha2 made it there. thanks for catching

[codablock]

fyi, I have this PR merged and running in one of our clusters and already succesfully used it to debug network failures.

[olemarkus]

I am not sure why hubble-ui is failing. but this still solves the hubble issue, so I think we can just merge it.

[codablock]

Looks like hubble-ui is failing for 2 different reasons:

1. See cilium Slack: https://cilium.slack.com/archives/CQRL1EPAA/p1619706586139400
   This is fixed in the hubble-ui image v0.7.7
2. hubble-ui seems to only work when hubble-relay is running without TLS and there is currently no way to enable TLS in hubble-relay. At the same time, you have fixed the hubble-relay service-port to 80, even though TLS is enabled, which seems to be misleading. Looking into the cilium Helm chart, I see that they use port 443 when TLS is enabled.

So, for this PR, I assume that at least 2. should be fixed first.

[olemarkus]

There. Now it works for me.

We'll just have to live with relay TLS false when the UI doesn't support TLS.

[hakman]

/test all

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hakman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment