diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.14.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.14.yaml.template index 8cd6a37433..82146dd2d2 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.14.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.14.yaml.template @@ -352,7 +352,8 @@ metadata: namespace: kube-system data: config.yaml: | - peer-service: unix:///var/run/cilium/hubble.sock + cluster-name: "{{ .ClusterName }}" + peer-service: "hubble-peer.kube-system.svc.cluster.local:443" listen-address: :4245 disable-server-tls: true @@ -360,7 +361,26 @@ data: tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt tls-client-key-file: /var/lib/hubble-relay/tls/client.key tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt - +--- +# Source: cilium/templates/hubble/peer-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: hubble-peer + namespace: kube-system + labels: + k8s-app: cilium + app.kubernetes.io/part-of: cilium + app.kubernetes.io/name: hubble-peer +spec: + selector: + k8s-app: cilium + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + internalTrafficPolicy: Local {{ end }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -1028,17 +1048,23 @@ spec: command: - /cni-uninstall.sh ports: - {{ if .EnablePrometheusMetrics }} - - containerPort: {{ .AgentPrometheusPort }} - name: prometheus + {{- if WithDefaultBool .Hubble.Enabled false }} + - name: peer-service + containerPort: 4244 + hostPort: 4244 protocol: TCP - {{ end }} {{- if .Hubble.Metrics }} - containerPort: 9091 hostPort: 9091 name: hubble-metrics protocol: TCP {{- end }} + {{- end }} + {{ if .EnablePrometheusMetrics }} + - containerPort: {{ .AgentPrometheusPort }} + name: prometheus + protocol: TCP + {{- end }} terminationMessagePolicy: FallbackToLogsOnError securityContext: privileged: true @@ -1582,13 +1608,10 @@ spec: command: - hubble-relay args: - - "serve" - - "--peer-service=unix:///var/run/cilium/hubble.sock" - - "--listen-address=:4245" - env: - # unfortunately, the addon CAs use only CN - - name: GODEBUG - value: x509ignoreCN=0 + - serve + {{- if .Debug }} + - '--debug' + {{- end }} ports: - name: grpc containerPort: 4245 @@ -1600,15 +1623,21 @@ spec: port: grpc terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - - mountPath: /var/run/cilium - name: hubble-sock-dir + - name: config + mountPath: /etc/hubble-relay readOnly: true - - mountPath: /etc/hubble-relay - name: config - readOnly: true - - mountPath: /var/lib/hubble-relay/tls - name: tls + - name: tls + mountPath: /var/lib/hubble-relay/tls readOnly: true + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux restartPolicy: Always serviceAccount: hubble-relay serviceAccountName: hubble-relay @@ -1627,17 +1656,16 @@ spec: matchLabels: k8s-app: hubble-relay volumes: - - hostPath: - path: /var/run/cilium - type: Directory - name: hubble-sock-dir - - configMap: + - name: config + configMap: name: hubble-relay-config items: - key: config.yaml path: config.yaml - name: config - - projected: + - name: tls + projected: + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 sources: - secret: name: hubble-relay-client-certs @@ -1648,7 +1676,6 @@ spec: path: client.key - key: ca.crt path: hubble-server-ca.crt - name: tls --- apiVersion: cert-manager.io/v1 kind: Certificate