feature(networking): add internal Hubble ingress

- add ingress manifests for Hubble UI behind pomerium when auth is enabled
- update networking schema to allow overriding defaults
- update schemas documentation
- update go-models
Note: this does not update EKS schema because cilium is not an option there.

defaults/kfddistribution-kfd-v1alpha2.yaml

@@ -189,6 +189,11 @@ data:
       overrides:
         nodeSelector: null
         tolerations: null
+        ingresses:
+          hubble:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
     # policy module configuration
     policy:
       overrides:

defaults/onpremises-kfd-v1alpha2.yaml

@@ -189,6 +189,11 @@ data:
       overrides:
         nodeSelector: null
         tolerations: null
+        ingresses:
+          hubble:
+            disableAuth: false
+            host: ""
+            ingressClass: ""
     # policy module configuration
     policy:
       overrides:

docs/schemas/kfddistribution-kfd-v1alpha2.md

@@ -2884,6 +2884,8 @@ The password for the minio root user
 |:------------------------------------------------------------------------|:---------|:---------|
 | [nodeSelector](#specdistributionmodulesnetworkingoverridesnodeselector) | `object` | Optional |
 | [tolerations](#specdistributionmodulesnetworkingoverridestolerations)   | `array`  | Optional |
+| [ingresses](#specdistributionmodulesnetworkingoverridesingresses)       | `object` | Optional |
+
 
 ## .spec.distribution.modules.networking.overrides.nodeSelector
 
@@ -2947,6 +2949,30 @@ The key of the toleration
 
 The value of the toleration
 
+## .spec.distribution.modules.networking.overrides.ingresses
+
+Allows overriding default values of the ingresses included in the networking module.
+
+### Properties
+
+| Property              | Type     | Required |
+| :-------------------- | :------- | :------- |
+| `hubble.host`         | `string` | Optional |
+| `hubble.ingressClass` | `string` | Optional |
+| `hubble.disableAuth`  | `bool`   | Optional |
+
+## .spec.distribution.modules.networking.overrides.ingresses.host
+
+### Description
+
+The host of the ingress
+
+## .spec.distribution.modules.networking.overrides.ingresses.ingressClass
+
+### Description
+
+The ingress class of the ingress
+
 ## .spec.distribution.modules.networking.tigeraOperator
 
 ### Properties

docs/schemas/onpremises-kfd-v1alpha2.md

@@ -2941,6 +2941,8 @@ The password for the minio root user
 |:------------------------------------------------------------------------|:---------|:---------|
 | [nodeSelector](#specdistributionmodulesnetworkingoverridesnodeselector) | `object` | Optional |
 | [tolerations](#specdistributionmodulesnetworkingoverridestolerations)   | `array`  | Optional |
+| [ingresses](#specdistributionmodulesnetworkingoverridesingresses)       | `object` | Optional |
+
 
 ## .spec.distribution.modules.networking.overrides.nodeSelector
 
@@ -3004,6 +3006,30 @@ The key of the toleration
 
 The value of the toleration
 
+## .spec.distribution.modules.networking.overrides.ingresses
+
+Allows overriding default values of the ingresses included in the networking module.
+
+### Properties
+
+| Property              | Type     | Required |
+| :-------------------- | :------- | :------- |
+| `hubble.host`         | `string` | Optional |
+| `hubble.ingressClass` | `string` | Optional |
+| `hubble.disableAuth`  | `bool`   | Optional |
+
+## .spec.distribution.modules.networking.overrides.ingresses.host
+
+### Description
+
+The host of the ingress
+
+## .spec.distribution.modules.networking.overrides.ingresses.ingressClass
+
+### Description
+
+The ingress class of the ingress
+
 ## .spec.distribution.modules.networking.tigeraOperator
 
 ### Properties

schemas/public/kfddistribution-kfd-v1alpha2.json

@@ -739,7 +739,7 @@
       "additionalProperties": false,
       "properties": {
         "overrides": {
-          "$ref": "#/$defs/Types.FuryModuleComponentOverrides"
+          "$ref": "#/$defs/Types.FuryModuleOverrides"
         },
         "tigeraOperator": {
           "$ref": "#/$defs/Spec.Distribution.Modules.Networking.TigeraOperator"

schemas/public/onpremises-kfd-v1alpha2.json

@@ -1183,7 +1183,7 @@
       "additionalProperties": false,
       "properties": {
         "overrides": {
-          "$ref": "#/$defs/Types.FuryModuleComponentOverrides"
+          "$ref": "#/$defs/Types.FuryModuleOverrides"
         },
         "tigeraOperator": {
           "$ref": "#/$defs/Spec.Distribution.Modules.Networking.TigeraOperator"

templates/distribution/_helpers.tpl

@@ -207,4 +207,8 @@ cert-manager.io/cluster-issuer: {{ .spec.distribution.modules.ingress.certManage
 
 {{ define "gangplankUrl" }}
   {{- template "ingressHostAuth" (dict "module" "auth" "package" "gangplank" "prefix" "gangplank." "spec" .) -}}
-{{ end }}
+{{ end }}
+
+{{ define "hubbleUrl" }}
+  {{- template "ingressHost" (dict "module" "networking" "package" "hubble" "prefix" "hubble." "spec" .) -}}
+{{ end }}

templates/distribution/manifests/auth/resources/pomerium-policy.yml.tpl

@@ -73,5 +73,13 @@ routes:
       - allow:
           and:
             - authenticated_user: true
+  {{- if eq .spec.distribution.modules.networking.type "cilium" }}
+  - from: https://{{ template "hubbleUrl" .spec }}
+    to: http://hubble-ui.kube-system.svc.cluster.local
+    policy:
+      - allow:
+          and:
+            - authenticated_user: true
+  {{- end }}
 {{ .spec.distribution.modules.auth.pomerium.policy | indent 2 }}
 {{ end }}

templates/distribution/manifests/networking/kustomization.yaml.tpl

@@ -11,30 +11,33 @@ resources:
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/networking/katalog/tigera/eks-policy-only" }}
 {{- end }}
 
-{{- if eq .spec.distribution.common.provider.type "none" }}
-{{- if eq .spec.distribution.modules.networking.type "calico" }}
+{{- if eq .spec.distribution.common.provider.type "none" }}{{/* none == on-prem */}}
+    {{- if eq .spec.distribution.modules.networking.type "calico" }}
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/networking/katalog/tigera/on-prem" }}
-{{- end }}
-{{- if eq .spec.distribution.modules.networking.type "cilium" }}
+    {{- end }}
+    {{- if eq .spec.distribution.modules.networking.type "cilium" }}
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/networking/katalog/cilium" }}
-{{- end }}
+      {{- if ne .spec.distribution.modules.ingress.nginx.type "none" }}
+  - resources/ingress-infra.yml
+      {{- end }}
+    {{- end }}
 {{- end }}
 
 patchesStrategicMerge:
 {{- if eq .spec.distribution.common.provider.type "eks" }}
   - patches/infra-nodes-tigera.yaml
 {{- end }}
 {{- if eq .spec.distribution.common.provider.type "none" }}
-{{- if eq .spec.distribution.modules.networking.type "calico" }}
+  {{- if eq .spec.distribution.modules.networking.type "calico" }}
   - patches/infra-nodes-tigera.yaml
-{{- end }}
-{{- if eq .spec.distribution.modules.networking.type "cilium" }}
+  {{- end }}
+  {{- if eq .spec.distribution.modules.networking.type "cilium" }}
   - patches/infra-nodes-distro-cilium.yaml
-{{- end }}
+  {{- end }}
 {{- end }}
 
 {{- if eq .spec.distribution.common.provider.type "none" }}
-{{- if eq .spec.distribution.modules.networking.type "calico" }}
+  {{- if eq .spec.distribution.modules.networking.type "calico" }}
 
 patchesJson6902:
   - target:
@@ -45,8 +48,7 @@ patchesJson6902:
       namespace: tigera-operator
     path: patchesjson/tigera-tolerations.yaml
 
-{{- end }}
-{{- if eq .spec.distribution.modules.networking.type "cilium" }}
+  {{- else if eq .spec.distribution.modules.networking.type "cilium" }}
 
 patchesJson6902:
   - target:
@@ -64,5 +66,5 @@ configMapGenerator:
     name: cilium-config
     namespace: kube-system
 
+  {{- end }}
 {{- end }}
-{{- end }}

templates/distribution/manifests/networking/resources/ingress-infra.yml.tpl

@@ -0,0 +1,45 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    cluster.kfd.sighup.io/useful-link.enable: "true"
+  annotations:
+    cluster.kfd.sighup.io/useful-link.url: https://{{ template "hubbleUrl" .spec }}
+    cluster.kfd.sighup.io/useful-link.name: "Cilium Hubble"
+    forecastle.stakater.com/expose: "true"
+    forecastle.stakater.com/appName: "Cilium Hubble"
+    forecastle.stakater.com/icon: "https://cilium.io/static/hubble-light-1-812e65cbb72a7f4efed59fcea48df840.svg"
+    {{ if not .spec.distribution.modules.networking.overrides.ingresses.hubble.disableAuth }}{{ template "ingressAuth" . }}{{ end }}
+    {{ template "certManagerClusterIssuer" . }}
+  name: hubble
+  {{ if and (not .spec.distribution.modules.networking.overrides.ingresses.hubble.disableAuth) (eq .spec.distribution.modules.auth.provider.type "sso") }}
+  namespace: pomerium
+  {{ else }}
+  namespace: kube-system
+  {{ end }}
+spec:
+  ingressClassName: {{ template "ingressClass" (dict "module" "networking" "package" "hubble" "type" "internal" "spec" .spec) }}
+  rules:
+    - host: {{ template "hubbleUrl" .spec }}
+      http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+          {{ if and (not .spec.distribution.modules.networking.overrides.ingresses.hubble.disableAuth) (eq .spec.distribution.modules.auth.provider.type "sso") }}
+            service:
+              name: pomerium
+              port:
+                number: 80
+          {{ else }}
+            service:
+              name: hubble-ui
+              port:
+                name: http
+          {{ end }}
+{{- template "ingressTls" (dict "module" "networking" "package" "hubble" "prefix" "hubble." "spec" .spec) }}