Did you know that the Cilium Hubble CLI supports using a configuration file?
Below is an example command where Isovalent Enterprise for Cilium is deployed and Hubble RBAC is configured. Therefore, I must provide additional details such as the server location and certificates to authenticate using the CLI. The steps in this blog post also work with Cilium OSS, which is especially handy when setting allow and deny lists to prune the information returned.
This can become cumbersome for every command you want to run.
❯ hubble observe \ --server tls://localhost:4245 \ --tls-ca-cert-files ca-cert.pem \ --tls-server-name 'cli.hubble-relay.cilium.io' \ --namespace kube-system Mar 20 13:09:38.061: tenant-jobs/resumes-58c6678bc8-5nkcg:36459 (ID:88195) -> kube-system/coredns-77fcb74c4c-wfw4f:53 (ID:102385) policy-verdict:L3-L4 EGRESS ALLOWED (UDP) Mar 20 13:09:38.061: tenant-jobs/resumes-58c6678bc8-5nkcg:36459 (ID:88195) -> kube-system/coredns-77fcb74c4c-wfw4f:53 (ID:102385) to-proxy FORWARDED (UDP) Mar 20 13:09:38.062: tenant-jobs/resumes-58c6678bc8-5nkcg (ID:88195) <> kube-system/coredns-77fcb74c4c-wfw4f:53 (ID:102385) post-xlate-fwd TRANSLATED (UDP) Mar 20 13:09:38.062: tenant-jobs/resumes-58c6678bc8-5nkcg:36459 (ID:88195) -> kube-system/coredns-77fcb74c4c-wfw4f:53 (ID:102385) dns-request proxy FORWARDED (DNS Query coreapi.tenant-jobs.svc.cluster.local. A)
Below you can see the various configuration options that the Hubble CLI supports. The above example is using flags as part of the command.
hubble config -h Config allows to modify or view the hubble configuration. Global hubble options can be set via flags, environment variables or a configuration file. The following precedence order is used: 1. Flag 2. Environment variable 3. Configuration file 4. Default value The "config view" subcommand provides a merged view of the configuration. The "config set" and "config reset" subcommand modify values in the configuration file. Environment variable names start with HUBBLE_ followed by the flag name capitalized where eventual dashes ('-') are replaced by underscores ('_'). For example, the environment variable that corresponds to the "--server" flag is HUBBLE_SERVER. The environment variable for "--tls-allow-insecure" is HUBBLE_TLS_ALLOW_INSECURE and so on. Usage: hubble config [flags] hubble config [command] Available Commands: get Get an individual value in the hubble config file reset Reset all or an individual value in the hubble config file set Set an individual value in the hubble config file view Display merged configuration settings
Using the below commands, I can set the flags as values in the configuration file, for any CLI flag, the set value will be prepended with HUBBLE_
+ the flag name.
❯ hubble config set HUBBLE_SERVER tls://localhost:4245 unknown key: HUBBLE_SERVER ❯ hubble config set server tls://localhost:4245 ❯ hubble config set tls-ca-cert-files ca-cert.pem ❯ hubble config set tls-server-name 'cli.hubble-relay.cilium.io'
Now we can use the Hubble CLI without the additional flags.
❯ hubble observe -n tenant-jobs Mar 20 13:13:30.004: tenant-jobs/coreapi-6748664db6-rmr2j:42935 (ID:111121) <- kube-system/coredns-77fcb74c4c-wfw4f:53 (ID:102385) to-endpoint FORWARDED (UDP) Mar 20 13:13:30.496: tenant-jobs/crawler-6dbf4f8b5d-vr7gr:47804 (ID:71705) -> tenant-jobs/loader-68544b8b87-zrxwt:50051 (ID:115137) http-request FORWARDED (HTTP/2 POST http://loader:50051/loader.Loader/LoadCv) Mar 20 13:13:30.505: tenant-jobs/crawler-6dbf4f8b5d-vr7gr:47804 (ID:71705) <- tenant-jobs/loader-68544b8b87-zrxwt:50051 (ID:115137) http-response FORWARDED (HTTP/2 200 9ms (POST http://loader:50051/loader.Loader/LoadCv))
We can validate the configuration in use by running the below command, which also confirms the location of the config file itself, which you can edit directly.
❯ hubble config view allowlist: [] client-id: "" client-secret: "" config: /Users/veducate/Library/Application Support/hubble/config.yaml debug: false denylist: [] grant-type: auto issuer: "" issuer-ca: "" refresh: false scopes: [] server: tls://localhost:4245 timeout: 5s tls: false tls-allow-insecure: false tls-ca-cert-files: - ca-cert.pem tls-client-cert-file: "" tls-client-key-file: "" tls-server-name: cli.hubble-relay.cilium.io token-file
Regards