Skip to content

Deprecate providing Hubble TLS secrets in helm values #34114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 7, 2024
Merged

Deprecate providing Hubble TLS secrets in helm values #34114

merged 3 commits into from
Aug 7, 2024

Conversation

chancez
Copy link
Contributor

@chancez chancez commented Jul 31, 2024
edited
Loading

This is the first step in a few changes to improve our documentation around configuring and using Hubble with TLS. The next PR #34115 will build upon this to make some improvements on the Hubble TLS documentation.

The primary goal with this PR is to add support for using existing secrets for Hubble TLS certificates and private keys to discourage storing private keys in helm values, and to better support users who wish to manage TLS certificates using other methods. While introducing support for using existing secrets, we should deprecate the previous method of directly providing certificates via helm values.

In the same vein, we want to encourage users to use one of the automated TLS methods rather than provide their own certificates in most cases, so let's move the documentation for user provided certificates to the end of the section.

I've got a number of other TLS related improvements coming, mostly in the form of documentation updates, and would like to get all of those improvements in to the stable/v1.16 documentation, so I'm setting the needs-backport/1.16 label on this PR. If the deprecation, and/or helm changes are an issue to backport, then we could skip the backport on this PR, and I'll just have to deal with conflicts when back porting the rest of my upcoming PRs to v1.16. Let me know what you think.

@chancez chancez added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/hubble area/helm Impacts helm charts and user deployment experience needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jul 31, 2024
@chancez chancez self-assigned this Jul 31, 2024
@chancez chancez requested review from a team as code owners July 31, 2024 21:26
@chancez chancez requested review from joamaki, nebril, rolinh and a user July 31, 2024 21:26
@chancez chancez mentioned this pull request Jul 31, 2024
Merged
@chancez chancez force-pushed the pr/chancez/hubble_tls_existing_secrets branch from 5737504 to 0dfd20d Compare July 31, 2024 21:35
@chancez
Copy link
Contributor Author

chancez commented Jul 31, 2024

/test

ghost
ghost suggested changes Aug 1, 2024
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally deprecations should also be documented in upgrade notes (Documentation/operations/upgrade.rst), can you add a note there?

chancez added 3 commits August 5, 2024 11:22
@chancez
helm: Add existingSecret option for hubble user provided TLS secrets
af6ddd3 
Also deprecate specifying Hubble TLS key/cert values directly in Helm values.

Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
@chancez
Documentation: Move Hubble TLS User provided certificates section last
9043b7b 
Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
@chancez
Documentation: Update Hubble user provided TLS certs instructions
2fa742f 
Instead of suggesting users put TLS private keys into their helm values,
instruct them to create secrets themselves and configure their helm
values to use these pre-existing secrets.

Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
@chancez chancez force-pushed the pr/chancez/hubble_tls_existing_secrets branch from 0dfd20d to 2fa742f Compare August 5, 2024 18:23
@chancez chancez requested a review from a user August 5, 2024 18:23
@chancez
Copy link
Contributor Author

chancez commented Aug 5, 2024

/test

ghost
ghost approved these changes Aug 5, 2024
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@chancez
Copy link
Contributor Author

chancez commented Aug 5, 2024

/test

rolinh
rolinh approved these changes Aug 7, 2024
View reviewed changes
Copy link
Member

@rolinh rolinh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great doc improvement, thanks!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 7, 2024
@rolinh rolinh added this pull request to the merge queue Aug 7, 2024
Merged via the queue into main with commit e235997 Aug 7, 2024
300 of 302 checks passed
@rolinh rolinh deleted the pr/chancez/hubble_tls_existing_secrets branch August 7, 2024 12:46
@jschwinger233 jschwinger233 mentioned this pull request Aug 12, 2024
Merged
15 tasks
@jschwinger233 jschwinger233 added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Aug 12, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Aug 13, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Aug 13, 2024
Merged
@devodev devodev mentioned this pull request May 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joamaki joamaki joamaki approved these changes

@rolinh rolinh rolinh approved these changes

@nebril nebril nebril approved these changes

+1 more reviewer
Reviewers whose approvals may not affect merge requirements
Assignees

@chancez chancez

Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. area/helm Impacts helm charts and user deployment experience backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@chancez @joamaki @rolinh @nebril @jschwinger233