kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use hubble-relay peer service instead of socket mount

This commit is contained in:
zadjadr 2023-09-01 22:05:42 +02:00
parent ef8a1f3d7e
commit 981f23964a
No known key found for this signature in database
GPG Key ID: 0F5C56E6213A7610
1 changed files with 55 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.14.yaml.template
View File

@ -352,7 +352,8 @@ metadata:
namespace: kube-system
data:
config.yaml: |
peer-service: unix:///var/run/cilium/hubble.sock
cluster-name: "{{ .ClusterName }}"
peer-service: "hubble-peer.kube-system.svc.cluster.local:443"
listen-address: :4245
disable-server-tls: true
@ -360,7 +361,26 @@ data:
tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt
tls-client-key-file: /var/lib/hubble-relay/tls/client.key
tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
---
# Source: cilium/templates/hubble/peer-service.yaml
apiVersion: v1
kind: Service
metadata:
name: hubble-peer
namespace: kube-system
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: hubble-peer
spec:
selector:
k8s-app: cilium
ports:
- name: peer-service
port: 443
protocol: TCP
targetPort: 4244
internalTrafficPolicy: Local
{{ end }}
---
apiVersion: rbac.authorization.k8s.io/v1
@ -1028,17 +1048,23 @@ spec:
command:
- /cni-uninstall.sh
ports:
{{ if .EnablePrometheusMetrics }}
- containerPort: {{ .AgentPrometheusPort }}
name: prometheus
{{- if WithDefaultBool .Hubble.Enabled false }}
- name: peer-service
containerPort: 4244
hostPort: 4244
protocol: TCP
{{ end }}
{{- if .Hubble.Metrics }}
- containerPort: 9091
hostPort: 9091
name: hubble-metrics
protocol: TCP
{{- end }}
{{- end }}
{{ if .EnablePrometheusMetrics }}
- containerPort: {{ .AgentPrometheusPort }}
name: prometheus
protocol: TCP
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
@ -1582,13 +1608,10 @@ spec:
command:
- hubble-relay
args:
- "serve"
- "--peer-service=unix:///var/run/cilium/hubble.sock"
- "--listen-address=:4245"
env:
# unfortunately, the addon CAs use only CN
- name: GODEBUG
value: x509ignoreCN=0
- serve
{{- if .Debug }}
- '--debug'
{{- end }}
ports:
- name: grpc
containerPort: 4245
@ -1600,15 +1623,21 @@ spec:
port: grpc
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/cilium
name: hubble-sock-dir
- name: config
mountPath: /etc/hubble-relay
readOnly: true
- mountPath: /etc/hubble-relay
name: config
readOnly: true
- mountPath: /var/lib/hubble-relay/tls
name: tls
- name: tls
mountPath: /var/lib/hubble-relay/tls
readOnly: true
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Always
serviceAccount: hubble-relay
serviceAccountName: hubble-relay
@ -1627,17 +1656,16 @@ spec:
matchLabels:
k8s-app: hubble-relay
volumes:
- hostPath:
path: /var/run/cilium
type: Directory
name: hubble-sock-dir
- configMap:
- name: config
configMap:
name: hubble-relay-config
items:
- key: config.yaml
path: config.yaml
name: config
- projected:
- name: tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-relay-client-certs
@ -1648,7 +1676,6 @@ spec:
path: client.key
- key: ca.crt
path: hubble-server-ca.crt
name: tls
---
apiVersion: cert-manager.io/v1
kind: Certificate