feat(scw-cilium-hubble): create chart to install hubble as an add-on

nox-404 · nox-404 · commit 1204f0cf4f2d · 2024-12-19T17:12:21.000+01:00
diff --git a/charts/scaleway-cilium-hubble/.helmignore b/charts/scaleway-cilium-hubble/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/scaleway-cilium-hubble/Chart.lock b/charts/scaleway-cilium-hubble/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: cilium
+  repository: https://helm.cilium.io/
+  version: 1.16.3
+digest: sha256:d14420bef27e2f6259e52a581ff8e5a2cd6e975706bf92e2f9f3ed001e1fd6f6
+generated: "2024-12-19T16:22:55.708643724+01:00"
diff --git a/charts/scaleway-cilium-hubble/Chart.yaml b/charts/scaleway-cilium-hubble/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: scaleway-cilium-hubble
+description: A Helm chart for adding Hubble to Cilium managed by Scaleway
+type: application
+version: 0.1.0
+appVersion: "v0.1.0"
+sources:
+  - https://github.com/scaleway/helm-charts/scaleway-cilium-hubble
+home: https://github.com/scaleway/helm-charts/scaleway-cilium-hubble
+keywords:
+  - scaleway
+  - kapsule
+  - cilium
+kubeVersion: ">= 1.31.0"
+dependencies:
+  - name: cilium
+    version: 1.16.3
+    repository: https://helm.cilium.io/
diff --git a/charts/scaleway-cilium-hubble/README.md b/charts/scaleway-cilium-hubble/README.md
@@ -0,0 +1,58 @@
+# Scaleway Cilium Hubble
+
+This charts deploys Hubble as an add-on to Scaleway Kubernetes clusters.
+
+## Requirements
+
+* Scaleway Kubernetes cluster >= 1.31.0
+
+## Installation
+
+To add the Scaleway Helm repository and install the chart from there, use the following commands:
+
+```sh
+helm repo add scaleway https://helm.scw.cloud/
+helm repo update
+helm upgrade --install scaleway-cilium-hubble scaleway/scaleway-cilium-hubble
+```
+
+You'll then need to rollout cilium agents to load the new configuration:
+
+```sh
+kubectl -n kube-system rollout restart daemonset cilium
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the Scaleway Cilium Hubble chart and their default values.
+
+| Parameter                                     | Description                                                                                                | Default Value                          |
+| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | -------------------------------------- |
+| `nodeConfig.enable-hubble`                    | Enable Hubble gRPC service.                                                                                | `"true"`                               |
+| `nodeConfig.hubble-socket-path`               | UNIX domain socket for Hubble server to listen to.                                                         | `"/var/run/cilium/hubble.sock"`        |
+| `nodeConfig.hubble-event-buffer-capacity`     | Capacity of the buffer to store recent events.                                                             | `"32767"`                              |
+| `nodeConfig.hubble-metrics-server`            | Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this field is not set. | `":9965"`                              |
+| `nodeConfig.hubble-metrics-server-enable-tls` | Enable or disable TLS for Hubble metrics server.                                                           | `"false"`                              |
+| `nodeConfig.hubble-metrics`                   | A space separated list of metrics to enable.                                                               | see `values.yaml` for the default list |
+| `nodeConfig.enable-hubble-open-metrics`       | Enable or disable Hubble OpenMetrics.                                                                      | `"false"`                              |
+| `nodeConfig.hubble-export-file-max-size-mb`   | Maximum size of the Hubble export file in MB.                                                              | `"10"`                                 |
+| `nodeConfig.hubble-export-file-max-backups`   | Maximum number of backups for the Hubble export file.                                                      | `"5"`                                  |
+| `nodeConfig.hubble-listen-address`            | An additional address for Hubble server to listen to (e.g. ":4244").                                       | `":4244"`                              |
+
+For other parameters, refer to cilium's own chart documentation under the `cilium` top level key.
+
+> Make sure not to enable the `operator`/`envoy`/`agent` as it will break the managed `cilium`.
+
+## Usage
+
+Once the chart is installed, you can forward the relay port to the local machine:
+
+```sh
+cilium hubble port-forward
+```
+
+Then open Hubble ui:
+
+```sh
+cilium hubble ui
+```
diff --git a/charts/scaleway-cilium-hubble/templates/NOTES.txt b/charts/scaleway-cilium-hubble/templates/NOTES.txt
@@ -0,0 +1,5 @@
+The scaleway-cilium-hubble chart was successfully installed.
+You may now restart cilium agents:
+  kubectl -n kube-system rollout restart daemonset cilium
+
+Have fun!
diff --git a/charts/scaleway-cilium-hubble/templates/_helpers.tpl b/charts/scaleway-cilium-hubble/templates/_helpers.tpl
@@ -0,0 +1,33 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "scaleway-cilium-hubble.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "scaleway-cilium-hubble.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "scaleway-cilium-hubble.labels" -}}
+helm.sh/chart: {{ include "scaleway-cilium-hubble.chart" . }}
+{{ include "scaleway-cilium-hubble.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "scaleway-cilium-hubble.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "scaleway-cilium-hubble.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/charts/scaleway-cilium-hubble/templates/cilium-node-config.yaml b/charts/scaleway-cilium-hubble/templates/cilium-node-config.yaml
@@ -0,0 +1,16 @@
+# Per node config to enable Hubble
+apiVersion: cilium.io/v2
+kind: CiliumNodeConfig
+metadata:
+  name: enable-hubble
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.cilium.hubble.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels: {{- include "scaleway-cilium-hubble.labels" . | nindent 4 }}
+spec:
+  nodeSelector:
+    matchLabels: {} # match all nodes
+  defaults:
+    {{- toYaml .Values.nodeConfig | nindent 4 }}
diff --git a/charts/scaleway-cilium-hubble/templates/hubble/peer-service.yaml b/charts/scaleway-cilium-hubble/templates/hubble/peer-service.yaml
@@ -0,0 +1,31 @@
+# source: https://github.com/cilium/cilium/blob/v1.16.3/install/kubernetes/cilium/templates/hubble/peer-service.yaml
+#
+# With the following changes:
+# removed the condition to have the agent enabled
+# added the `cilium` top level key
+# changed the labels
+{{- if .Values.cilium.hubble.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: hubble-peer
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.cilium.hubble.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels: {{- include "scaleway-cilium-hubble.labels" . | nindent 4 }}
+spec:
+  selector:
+    k8s-app: cilium
+  ports:
+  - name: peer-service
+    {{- if .Values.cilium.hubble.peerService.servicePort }}
+    port: {{ .Values.cilium.hubble.peerService.servicePort }}
+    {{- else }}
+    port: {{ .Values.cilium.hubble.tls.enabled | ternary 443 80 }}
+    {{- end }}
+    protocol: TCP
+    targetPort: {{ .Values.cilium.hubble.peerService.targetPort }}
+  internalTrafficPolicy: Local
+{{- end }}
diff --git a/charts/scaleway-cilium-hubble/values.yaml b/charts/scaleway-cilium-hubble/values.yaml
@@ -0,0 +1,56 @@
+nodeConfig:
+  # Enable Hubble gRPC service.
+  enable-hubble: "true"
+  # UNIX domain socket for Hubble server to listen to.
+  hubble-socket-path: "/var/run/cilium/hubble.sock"
+  # Capacity of the buffer to store recent events.
+  hubble-event-buffer-capacity: "32767"
+  # Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this
+  # field is not set.
+  hubble-metrics-server: ":9965"
+  hubble-metrics-server-enable-tls: "false"
+  # A space separated list of metrics to enable. See [0] for available metrics.
+  #
+  # https://github.com/cilium/hubble/blob/master/Documentation/metrics.md
+  hubble-metrics:
+    dns:query;ignoreAAAA
+    drop
+    flow
+    flows-to-world:any-drop;port
+    httpV2
+    icmp
+    port-distribution
+    tcp
+  enable-hubble-open-metrics: "false"
+  hubble-export-file-max-size-mb: "10"
+  hubble-export-file-max-backups: "5"
+  # An additional address for Hubble server to listen to (e.g. ":4244").
+  hubble-listen-address: ":4244"
+
+cilium:
+  hubble:
+    enabled: true
+    eventBufferCapacity: 32767
+    metrics:
+      enabled:
+      - dns:query;ignoreAAAA
+      - drop
+      - flow
+      - flows-to-world:any-drop;port
+      - httpV2
+      - icmp
+      - port-distribution
+      - tcp
+    relay:
+      enabled: true
+    ui:
+      enabled: true
+    tls:
+      auto:
+        method: cronjob
+
+  agent: false
+  operator:
+    enabled: false
+  envoy:
+    enabled: false
