feat(cilium): support secure TLS connection to the hubble relay#6606
Merged
Conversation
The Cilium provider connected to the Hubble relay over plaintext only (grpc.insecure_channel), so it could not talk to a relay that requires TLS or mutual TLS. Add optional TLS via four auth-config fields: use_tls turns on a secure channel, ca_certificate verifies the server (system trust store when omitted), and client_certificate plus client_key enable mutual TLS. Default behavior is unchanged. The channel construction is extracted into build_cilium_channel. Closes keephq#4264
e9f3c07 to
9678dbb
Compare
Contributor
|
🌟 You're on fire, @aditya-786! Three PRs merged and counting! 🔥🎉 Your consistent contributions are truly impressive. You're becoming a valued member of our community! 💖 Remember, the team is always here to support you. Keep blazing that trail! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #4264
Problem
The Cilium provider connects to the Hubble relay with
grpc.insecure_channel, so the connection is plaintext only. As raised in #4264, the documented GKE approach (#4265) is an insecure workaround rather than a real fix, and there is currently no way to connect to a Hubble relay that requires TLS or mutual TLS.Change
Add optional TLS to the Cilium provider:
use_tls(switch) connects to the relay over TLS.ca_certificate(PEM) verifies the relay server; when omitted, the system trust store is used.client_certificate+client_key(PEM) enable mutual TLS.Default behavior is unchanged:
use_tlsdefaults tofalse, which keeps the existinggrpc.insecure_channelpath. The channel construction is extracted into a small grpc-only helperbuild_cilium_channel(keep/providers/cilium_provider/secure_channel.py), andpull_topologynow calls it.Design note
The cert fields take PEM content via
fileconfig fields (the same convention as the GKE service-account field), which keeps the helper IO-free and fits Keep's secret handling. Happy to switch these to file paths instead if you prefer.Tests
tests/test_cilium_secure_channel.pycovers the insecure default, mutual TLS, server-only TLS, and TLS using the system trust store, asserting the exact gRPC credential calls:The test imports only the standalone helper (not the provider, which pulls the wider app), so it runs without the full backend. Verified fail-before/pass-after.