How can I enable Cilium with Hubble during the RKE...
# rke2
v
How can I enable Cilium with Hubble during the RKE2 installation? I tried the following configuration, but Hubble is not getting enabled.
Copy code
sudo vi /etc/rancher/rke2/config.yaml
cni: cilium
cilium:
  enable-hubble: true
  hubble-relay: true
  hubble-ui: true
  hubble-ui-port: 4245
  hubble-ui-external: true
  hubble-ui-service-type: LoadBalancer
  hubble-listen-metrics: ":4244"
  hubble-listen: ":4244"
  hubble-relay-listen: ":4246"
  hubble-relay-external: true
  hubble-relay-service-type: LoadBalancer
m
You can't pass helm chart values to cilium from the config.yaml. config.yaml is for rke2 binary to know what to setup. https://docs.rke2.io/helm#customizing-packaged-components-with-helmchartconfig ^ helmchartconfig is what you want.
v
Tried it. Not working. May be my values was wrong. Can you please help me with the values to enable it?
m
paste your helmchart config here and the location where you placed it
v
Copy code
apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
        enable-hubble: true
        hubble-relay: true
        hubble-ui: true
        hubble-ui-port: 4245
        hubble-ui-external: true
        hubble-ui-service-type: LoadBalancer
        hubble-listen-metrics: ":4244"
        hubble-listen: ":4244"
        hubble-relay-listen: ":4246"
        hubble-relay-external: true
        hubble-relay-service-type: LoadBalancer
Copy code
Location: /var/lib/rancher/rke2/server/manifests/rke2-cilium-config.yaml
Tried the new values, able to bring up the hubble..
Copy code
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-cilium
  namespace: kube-system
spec:
  valuesContent: |-
    serviceAccounts:
      relay:
        create: true
        name: hubble-relay
        automount: true
        annotations: {}
      ui:
        create: true
        name: hubble-ui
        automount: true
        annotations: {}
      hubblecertgen:
        create: true
        name: hubble-generate-certs
        automount: true
        annotations: {}
    hubble:
      enabled: true
      annotations: {}
      metrics:
        enabled: ~
        enableOpenMetrics: true
        port: 9965
        tls:
          enabled: true
          server:
            existingSecret: ""
            cert: ""
            key: ""
            extraDnsNames: []
            extraIpAddresses: []
            mtls:
              enabled: true
              useSecret: true
              name: ~
              key: ca.crt
        serviceAnnotations: {}
        serviceMonitor:
          enabled: true
          labels: {}
          annotations: {}
          jobLabel: ""
          interval: "10s"
          relabelings:
            - sourceLabels:
                - __meta_kubernetes_pod_node_name
              targetLabel: node
              replacement: ${1}
          metricRelabelings: ~
          tlsConfig: {}
        dynamic:
          enabled: true
          config:
            configMapName: cilium-dynamic-metrics-config
            createConfigMap: true
            content:
              - name: all
                contextOptions: []
                includeFilters: []
                excludeFilters: []
      socketPath: /var/run/cilium/hubble.sock
      redact:
        enabled: false
        http:
          urlQuery: false
          userInfo: true
          headers:
            allow: []
            deny: []
        kafka:
          apiKey: false
      listenAddress: ":4244"
      preferIpv6: false
      skipUnknownCGroupIDs: ~
      peerService:
        targetPort: 4244
        clusterDomain: cluster.local
      tls:
        enabled: true
        auto:
          enabled: true
          method: helm
          certValidityDuration: 365
          schedule: "0 0 1 */4 *"
          certManagerIssuerRef: {}
        server:
          existingSecret: ""
          cert: ""
          key: ""
          extraDnsNames: []
          extraIpAddresses: []
      relay:
        enabled: true
        rollOutPods: true
        image:
          override: ~
          repository: "rancher/mirrored-cilium-hubble-relay"
          tag: "v1.17.1"
          useDigest: false
          pullPolicy: "IfNotPresent"
        resources: {}
        replicas: 1
        affinity:
          podAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              - topologyKey: kubernetes.io/hostname
                labelSelector:
                  matchLabels:
                    k8s-app: cilium
        topologySpreadConstraints: []

        nodeSelector:
          kubernetes.io/os: linux
        tolerations: []
        extraEnv: []
        annotations: {}
        podAnnotations: {}
        podLabels: {}
        podDisruptionBudget:
          enabled: false
          minAvailable: null
          maxUnavailable: 1
        priorityClassName: ""
        terminationGracePeriodSeconds: 1
        updateStrategy:
          type: RollingUpdate
          rollingUpdate:
            maxUnavailable: 1
        extraVolumes: []
        extraVolumeMounts: []
        podSecurityContext:
          fsGroup: 65532
        securityContext:
          runAsNonRoot: true
          runAsUser: 65532
          runAsGroup: 65532
          capabilities:
            drop:
              - ALL
        service:
          type: ClusterIP
          nodePort: 31234
        listenHost: ""
        listenPort: "4245"
        tls:
          client:
            existingSecret: ""
            cert: ""
            key: ""
          server:
            enabled: true
            mtls: true
            existingSecret: ""
            cert: ""
            key: ""
            extraDnsNames: []
            extraIpAddresses: []
            relayName: "ui.hubble-relay.cilium.io"
        dialTimeout: ~
        retryTimeout: ~
        sortBufferLenMax: ~
        sortBufferDrainTimeout: ~
        gops:
          enabled: true
          port: 9893
        pprof:
          enabled: false
          address: localhost
          port: 6062
      ui:
        enabled: true
        standalone:
          enabled: false
          tls:
            certsVolume: {}
        rollOutPods: false
        tls:
          client:
            existingSecret: ""
            cert: ""
            key: ""
        backend:
          image:
            override: ~
            repository: "rancher/mirrored-cilium-hubble-ui-backend"
            tag: "v0.13.1"
            useDigest: false
            pullPolicy: "IfNotPresent"
          securityContext: {}
          extraEnv: []
          extraVolumes: []
          extraVolumeMounts: []
          livenessProbe:
            enabled: true
          readinessProbe:
            enabled: false
          resources: {}
        frontend:
          image:
            override: ~
            repository: "rancher/mirrored-cilium-hubble-ui"
            tag: "v0.13.1"
            useDigest: false
            pullPolicy: "IfNotPresent"
          securityContext: {}
          extraEnv: []
          extraVolumes: []
          extraVolumeMounts: []
          resources: {}
          server:
            ipv6:
              enabled: true
        replicas: 1
        annotations: {}
        labels: {}
        podAnnotations: {}
        podLabels: {}
        podDisruptionBudget:
          enabled: false
          minAvailable: null
          maxUnavailable: 1
        affinity: {}
        topologySpreadConstraints: []

        nodeSelector:
          kubernetes.io/os: linux
        tolerations: []
        priorityClassName: ""
        updateStrategy:
          type: RollingUpdate
          rollingUpdate:
            maxUnavailable: 1
        securityContext:
          runAsUser: 1001
          runAsGroup: 1001
          fsGroup: 1001
        service:
          annotations: {}
          type: ClusterIP
          nodePort: 31235
        baseUrl: "/"
        ingress:
          enabled: false
          annotations: {}
          className: ""
          hosts:
            - chart-example.local
          labels: {}
          tls: []
      export:
        fileMaxSizeMb: 10
        fileMaxBackups: 5
        static:
          enabled: false
          filePath: /var/run/cilium/hubble/events.log
          fieldMask: []
          allowList: []
          denyList: []
        dynamic:
          enabled: false
          config:
            configMapName: cilium-flowlog-config
            createConfigMap: true
            content:
              - name: all
                fieldMask: []
                includeFilters: []
                excludeFilters: []
                filePath: "/var/run/cilium/hubble/events.log"
      dropEventEmitter:
        enabled: false
        interval: 2m
        reasons:
          - auth_required
          - policy_denied
Is this the same process I need to follow for Istio deployment during a fresh install?
m
No, helmchartconfig is for any “add ons” bundled with rke2. Sitio can be installed from the rancher app, helm, yaml files