How can I enable Cilium with Hubble during the RKE...
# rke2v
victorious-motorcycle-37766
03/19/2025, 2:23 PMHow can I enable Cilium with Hubble during the RKE2 installation? I tried the following configuration, but Hubble is not getting enabled.
Copy code
sudo vi /etc/rancher/rke2/config.yaml
cni: cilium
cilium:
enable-hubble: true
hubble-relay: true
hubble-ui: true
hubble-ui-port: 4245
hubble-ui-external: true
hubble-ui-service-type: LoadBalancer
hubble-listen-metrics: ":4244"
hubble-listen: ":4244"
hubble-relay-listen: ":4246"
hubble-relay-external: true
hubble-relay-service-type: LoadBalancerm
mysterious-animal-29850
03/19/2025, 3:26 PMYou can't pass helm chart values to cilium from the config.yaml. config.yaml is for rke2 binary to know what to setup.
https://docs.rke2.io/helm#customizing-packaged-components-with-helmchartconfig
^ helmchartconfig is what you want.
v
victorious-motorcycle-37766
03/19/2025, 3:42 PMTried it. Not working. May be my values was wrong. Can you please help me with the values to enable it?
m
mysterious-animal-29850
03/19/2025, 4:32 PMpaste your helmchart config here and the location where you placed it
v
victorious-motorcycle-37766
03/20/2025, 5:00 AM Copy code
apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChartConfig
metadata:
name: rke2-cilium
namespace: kube-system
spec:
valuesContent: |-
enable-hubble: true
hubble-relay: true
hubble-ui: true
hubble-ui-port: 4245
hubble-ui-external: true
hubble-ui-service-type: LoadBalancer
hubble-listen-metrics: ":4244"
hubble-listen: ":4244"
hubble-relay-listen: ":4246"
hubble-relay-external: true
hubble-relay-service-type: LoadBalancervictorious-motorcycle-37766
03/20/2025, 5:01 AM Copy code
Location: /var/lib/rancher/rke2/server/manifests/rke2-cilium-config.yamlvictorious-motorcycle-37766
03/20/2025, 8:23 AMTried the new values, able to bring up the hubble..
Copy code
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-cilium
namespace: kube-system
spec:
valuesContent: |-
serviceAccounts:
relay:
create: true
name: hubble-relay
automount: true
annotations: {}
ui:
create: true
name: hubble-ui
automount: true
annotations: {}
hubblecertgen:
create: true
name: hubble-generate-certs
automount: true
annotations: {}
hubble:
enabled: true
annotations: {}
metrics:
enabled: ~
enableOpenMetrics: true
port: 9965
tls:
enabled: true
server:
existingSecret: ""
cert: ""
key: ""
extraDnsNames: []
extraIpAddresses: []
mtls:
enabled: true
useSecret: true
name: ~
key: ca.crt
serviceAnnotations: {}
serviceMonitor:
enabled: true
labels: {}
annotations: {}
jobLabel: ""
interval: "10s"
relabelings:
- sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: node
replacement: ${1}
metricRelabelings: ~
tlsConfig: {}
dynamic:
enabled: true
config:
configMapName: cilium-dynamic-metrics-config
createConfigMap: true
content:
- name: all
contextOptions: []
includeFilters: []
excludeFilters: []
socketPath: /var/run/cilium/hubble.sock
redact:
enabled: false
http:
urlQuery: false
userInfo: true
headers:
allow: []
deny: []
kafka:
apiKey: false
listenAddress: ":4244"
preferIpv6: false
skipUnknownCGroupIDs: ~
peerService:
targetPort: 4244
clusterDomain: cluster.local
tls:
enabled: true
auto:
enabled: true
method: helm
certValidityDuration: 365
schedule: "0 0 1 */4 *"
certManagerIssuerRef: {}
server:
existingSecret: ""
cert: ""
key: ""
extraDnsNames: []
extraIpAddresses: []
relay:
enabled: true
rollOutPods: true
image:
override: ~
repository: "rancher/mirrored-cilium-hubble-relay"
tag: "v1.17.1"
useDigest: false
pullPolicy: "IfNotPresent"
resources: {}
replicas: 1
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
k8s-app: cilium
topologySpreadConstraints: []
nodeSelector:
kubernetes.io/os: linux
tolerations: []
extraEnv: []
annotations: {}
podAnnotations: {}
podLabels: {}
podDisruptionBudget:
enabled: false
minAvailable: null
maxUnavailable: 1
priorityClassName: ""
terminationGracePeriodSeconds: 1
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
extraVolumes: []
extraVolumeMounts: []
podSecurityContext:
fsGroup: 65532
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
capabilities:
drop:
- ALL
service:
type: ClusterIP
nodePort: 31234
listenHost: ""
listenPort: "4245"
tls:
client:
existingSecret: ""
cert: ""
key: ""
server:
enabled: true
mtls: true
existingSecret: ""
cert: ""
key: ""
extraDnsNames: []
extraIpAddresses: []
relayName: "ui.hubble-relay.cilium.io"
dialTimeout: ~
retryTimeout: ~
sortBufferLenMax: ~
sortBufferDrainTimeout: ~
gops:
enabled: true
port: 9893
pprof:
enabled: false
address: localhost
port: 6062
ui:
enabled: true
standalone:
enabled: false
tls:
certsVolume: {}
rollOutPods: false
tls:
client:
existingSecret: ""
cert: ""
key: ""
backend:
image:
override: ~
repository: "rancher/mirrored-cilium-hubble-ui-backend"
tag: "v0.13.1"
useDigest: false
pullPolicy: "IfNotPresent"
securityContext: {}
extraEnv: []
extraVolumes: []
extraVolumeMounts: []
livenessProbe:
enabled: true
readinessProbe:
enabled: false
resources: {}
frontend:
image:
override: ~
repository: "rancher/mirrored-cilium-hubble-ui"
tag: "v0.13.1"
useDigest: false
pullPolicy: "IfNotPresent"
securityContext: {}
extraEnv: []
extraVolumes: []
extraVolumeMounts: []
resources: {}
server:
ipv6:
enabled: true
replicas: 1
annotations: {}
labels: {}
podAnnotations: {}
podLabels: {}
podDisruptionBudget:
enabled: false
minAvailable: null
maxUnavailable: 1
affinity: {}
topologySpreadConstraints: []
nodeSelector:
kubernetes.io/os: linux
tolerations: []
priorityClassName: ""
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
securityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
service:
annotations: {}
type: ClusterIP
nodePort: 31235
baseUrl: "/"
ingress:
enabled: false
annotations: {}
className: ""
hosts:
- chart-example.local
labels: {}
tls: []
export:
fileMaxSizeMb: 10
fileMaxBackups: 5
static:
enabled: false
filePath: /var/run/cilium/hubble/events.log
fieldMask: []
allowList: []
denyList: []
dynamic:
enabled: false
config:
configMapName: cilium-flowlog-config
createConfigMap: true
content:
- name: all
fieldMask: []
includeFilters: []
excludeFilters: []
filePath: "/var/run/cilium/hubble/events.log"
dropEventEmitter:
enabled: false
interval: 2m
reasons:
- auth_required
- policy_deniedvictorious-motorcycle-37766
03/20/2025, 8:25 AMIs this the same process I need to follow for Istio deployment during a fresh install?
m
mysterious-animal-29850
03/20/2025, 1:39 PMNo, helmchartconfig is for any “add ons” bundled with rke2. Sitio can be installed from the rancher app, helm, yaml files
51 Views