Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cilium Hubble UI don't start when TLS is disabled #11100

Open
plyul opened this issue Apr 19, 2024 · 0 comments
Open

Cilium Hubble UI don't start when TLS is disabled #11100

plyul opened this issue Apr 19, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@plyul
Copy link

plyul commented Apr 19, 2024
edited

What happened?

After deploying a cluster with Cilium CNI, Hubble UI enabled and disabled TLS in Hubble (cilium_hubble_tls_generate: false), hubble-ui pod stays in ContainerCreating state.

kubectl describe pod shows:

Warning  FailedMount  55s (x13 over 11m)  kubelet            MountVolume.SetUp failed for volume "tls" : secret "hubble-relay-client-certs" not found

What did you expect to happen?

hubble-ui deployed successfully

How can we reproduce it (as minimally and precisely as possible)?

Install cluster with enabled hubble-ui and disabled TLS.

Relevant kubespray vars:

cilium_enable_hubble: true
cilium_hubble_install: true
cilium_hubble_tls_generate: false

OS

Linux 6.1.0-20-amd64 x86_64
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Version of Ansible

ansible [core 2.16.5]
python version = 3.11.8 (main, Feb 12 2024, 14:50:05) [GCC 13.2.1 20230801]
jinja version = 3.1.3
libyaml = True

Version of Python

Python 3.11.8

Version of Kubespray (commit)

Ansible collection v2.24.1

Network plugin used

cilium

Full inventory with variables

kube_network_plugin: cilium
cilium_enable_ipv4: true
cilium_enable_ipv6: false
cilium_enable_hubble: true
cilium_hubble_install: true
cilium_hubble_tls_generate: false

Command used to invoke ansible

ansible-playbook -i hosts/inventory.ini cluster.yml

Output of ansible run

Anything else we need to know

I belive that when cilium_hubble_tls_generate is set to False, Kubernetes secret hubble-relay-client-certs is not created, but it is referenced in hubble-ui deployment.

It looks like declarations in volumes and volumeMounts sections of hubble-ui deployment manifest template should be guarded with something like {% if cilium_hubble_tls_generate %}, as done in hubble-relay deployment manifest template in the same file (roles/network_plugin/cilium/templates/hubble/deploy.yml.j2).
@plyul plyul added the kind/bug Categorizes issue or PR as related to a bug. label Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@plyul