search

cilium / hubble-ui

Observability & Troubleshooting for Kubernetes Services
https://www.cilium.io
Apache License 2.0
386 stars 60 forks source link

Secret "hubble-ui-client-certs" not found #896

Open elaurensx opened 2 months ago

elaurensx commented 2 months ago

Hubble-ui deployed through official Helm chart along with all other Cilium components.. ui.enabled: true ui.standalone: false hubble.tls.auto.enabled: true hubble.tls.auto.method: cronJob

kubectl describe cronjob hubble-generate-certs -n kube-system doesn't mention anything related to hubble-ui-client-certs..

Command:
  /usr/bin/cilium-certgen
Args:
  --cilium-namespace=kube-system
  --ca-generate
  --ca-reuse-secret
  --hubble-server-cert-generate
  --hubble-server-cert-common-name=*.pluto.hubble-grpc.cilium.io
  --hubble-server-cert-validity-duration=31536000s
  --hubble-relay-client-cert-generate
  --hubble-relay-client-cert-validity-duration=31536000s
  --hubble-relay-server-cert-generate
  --hubble-relay-server-cert-validity-duration=31536000s
michaelajr commented 1 month ago

Same issue. Hubble UI certs are not generated when using hubble.tls.auto.method: cronJob.

michaelajr commented 1 month ago

Is cronJob certgen meant to be used only when Hubble UI is installed in stand alone mode? And then it is to mount the client-cert that was created?

michaelajr commented 1 month ago

Was able to work around this by setting:

ui:
    standalone:
      enabled: true
      tls:
        certsVolume:
          projected:
            defaultMode: 0400
            sources:
              - secret:
                  name: hubble-relay-client-certs
                  items:
                    - key: tls.crt
                      path: client.crt
                    - key: tls.key
                      path: client.key
                    - key: ca.crt
                      path: hubble-relay-ca.crt

Have not fully tested, just an observation that this will allow hubble ui to start up - and I do see flows in the UI.