cilium-cli
cilium-cli copied to clipboard
Connectivity tests: Support Hubble relay with enabled TLS
Proposal / RFE
Is your feature request related to a problem?
Cilium connectivity tests with enabled Hubble flow validation (cilium connectivity test --hubble
, --hubble
is enabled by default) do not work in case Hubble relay uses TLS. E.g., something like this:
hubble:
enabled: true
tls:
enabled: true
auto:
enabled: true
method: certmanager
certManagerIssuerRef:
group: cert-manager.io
kind: Issuer
name: cilium
relay:
enabled: true
tls:
server:
enabled: true
This results in an error in case nothing is explicitly specified (cilium connectivity test
):
⚠️ Unable to contact Hubble Relay, disabling Hubble telescope and flow validation: rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: EOF"
... and in another error, in case --hubble-server tls://localhost:4245
is added:
⚠️ Unable to contact Hubble Relay, disabling Hubble telescope and flow validation: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: address tls://localhost:4245: too many colons in address"
However, using Hubble CLI with the right parameters works just fine:
$ kubectl -n kube-system port-forward svc/hubble-relay 4245:443 &
$ hubble --server tls://localhost:4245 --tls-ca-cert-files=(pwd)/cilium-ca.crt --tls-server-name "*.hubble-relay.cilium.io" status
Healthcheck (via localhost:4245): Ok
Current/Max Flows: 32,760/32,760 (100.00%)
Flows/s: 474.71
Connected Nodes: 8/8
Describe the solution you'd like
We do not only need general "Hubble relay with enabled TLS" support for Cilium's connectivity tests but also similar configuration options as we have with Hubble CLI: tls-ca-cert-files
and tls-server-name
Workaround until this is implemented: --hubble=false