[feature] Run our own Hubble UI backend

... which is actually little more than a glorified HTTP-to-gRPC proxy written in Go, with a little something on the side to watch and serve `Namespace` objects. The configuration is inspired by [Cilium's own chart](https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium/templates/hubble-ui) under the `hubble.ui.enabled = true` setting, except with less `ConfigMap`s and more defense-in-depth. - Do *not* just turn on `hubble.ui.enabled = true` in that other chart (which we could as part of https://github.com/epfl-si/sddc-ocp ), as this would defeat defense-in-depth quite a bit: neither the front-end nor the back-end need to run inside the privileged namespace (i.e. `cilium-system`) - Do *not* even run same with `hubble.ui.standalone = true` in ”our” namespace (i.e. `hubble`); as that would leave us with moving parts that we don't want (i.e. the nginx `ConfigMap`s for the reverse proxy rig; see below). - Forego mTLS between the UI backend and the Hubble relay, as it is not strictly required to achieve defense-in-depth. Knowing that in the EPFL case, the Hubble relay always lives in the same cluster and a different namespace, We Can Always Later™ put up access control between the two of them using e.g. `NetworkPolicy` objects. - Like Cilium, run the Hubble UI backend as an extra container in the same pod as the front-end server. - Address both set of containers through a single `Service` with two ports. - Unlike Cilium, don't do any nginx reverse proxying (nor nginx-related `ConfigMap`s). Instead, leverage the staggered `Route`s (that we already have) to serve both front-end and back-end under the same hostname. This provides the same benefits CORS-wise i.e. things just work. - Make the front-end `Route` access the UI front-end directly (as nothing it serves is security-critical); conversely, the back-end `Route` goes through the RBAC proxy (as it already did). - Provide default values that are useful out-of-the-box to the EPFL setup, but make them tunable later if the need arises (e.g. should we decide to mirror or rebuild the backend image).
epfl-si · May 8, 2024 · 52f7736 · 52f7736
1 parent 64a951b
commit 52f7736
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 3 deletions.
diff --git a/charts/okd-epfl-hubble-ui/templates/hubble/hubble-ui-deployment.yaml b/charts/okd-epfl-hubble-ui/templates/hubble/hubble-ui-deployment.yaml
@@ -15,11 +15,36 @@ spec:
       labels:
         app: hubble-ui-epfl
     spec:
-      automountServiceAccountToken: false
       containers:
-      - name: hubble-ui
+      ################################################
+      # nginx with some static HTML / CSS / JS / SVG files:
+      - name: frontend
         image: {{ required "hubbleUI.image must be specified!" .Values.hubbleUI.image }}
         imagePullPolicy: {{ .Values.hubbleUI.imagePullPolicy }}
         ports:
         - name: http
           containerPort: 8080
+
+      ################################################
+      # Glorified HTTP-to-gRPC proxy in Go, with a side serving of `Namespace` enumeration:
+      - name: backend
+        image: {{ required "hubbleUI.backend.image must be specified!" .Values.hubbleUI.backend.image }}
+        imagePullPolicy: {{ .Values.hubbleUI.backend.imagePullPolicy }}
+        ports:
+        - name: http-api
+          containerPort: 8090
+        {{- if .Values.hubbleUI.backend.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8090
+        {{- end }}
+        {{- if .Values.hubbleUI.backend.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8090
+        {{- end }}
+        env:
+        - name: FLOWS_API_ADDR
+          value: "{{ .Values.hubbleUI.backend.relayHostPort }}"
diff --git a/charts/okd-epfl-hubble-ui/templates/hubble/hubble-ui-service.yaml b/charts/okd-epfl-hubble-ui/templates/hubble/hubble-ui-service.yaml
@@ -14,3 +14,7 @@ spec:
     port: 80
     protocol: TCP
     targetPort: http
+  - name: http-api
+    port: 81
+    protocol: TCP
+    targetPort: http-api
diff --git a/charts/okd-epfl-hubble-ui/templates/hubble/rbac-proxy-deployment.yaml b/charts/okd-epfl-hubble-ui/templates/hubble/rbac-proxy-deployment.yaml
@@ -23,7 +23,7 @@ spec:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--tls-cert-file=/tls/tls.crt"
         - "--tls-private-key-file=/tls/tls.key"
-        - "--upstream=http://hubble-ui/"
+        - "--upstream=http://hubble-ui-epfl:81/"
         - "--logtostderr=true"
         - "--v=10"
         securityContext:

diff --git a/charts/okd-epfl-hubble-ui/values.yaml b/charts/okd-epfl-hubble-ui/values.yaml
@@ -49,6 +49,15 @@ hubbleUI:
   image: ""
   imagePullPolicy: IfNotPresent
   replicas: 2
+  backend:
+    # As found in install/kubernetes/cilium/values.yaml in the Cilium source tree:
+    image: quay.io/cilium/hubble-ui-backend:v0.13.0
+    imagePullPolicy: IfNotPresent
+    livenessProbe:
+      enabled: true
+    readinessProbe:
+      enabled: true
+    relayHostPort: hubble-relay.cilium-system.svc.cluster.local:80
 hubbleAPI:
   accessList: ~
   hostname: ~