Skip to content

feat(cilium): support secure TLS connection to the hubble relay#6606

Merged
shahargl merged 1 commit into
keephq:mainfrom
aditya-786:feat/cilium-secure-connection
Jun 29, 2026
Merged

feat(cilium): support secure TLS connection to the hubble relay#6606
shahargl merged 1 commit into
keephq:mainfrom
aditya-786:feat/cilium-secure-connection

Conversation

@aditya-786

Copy link
Copy Markdown
Contributor

Closes #4264

Problem

The Cilium provider connects to the Hubble relay with grpc.insecure_channel, so the connection is plaintext only. As raised in #4264, the documented GKE approach (#4265) is an insecure workaround rather than a real fix, and there is currently no way to connect to a Hubble relay that requires TLS or mutual TLS.

Change

Add optional TLS to the Cilium provider:

  • use_tls (switch) connects to the relay over TLS.
  • ca_certificate (PEM) verifies the relay server; when omitted, the system trust store is used.
  • client_certificate + client_key (PEM) enable mutual TLS.

Default behavior is unchanged: use_tls defaults to false, which keeps the existing grpc.insecure_channel path. The channel construction is extracted into a small grpc-only helper build_cilium_channel (keep/providers/cilium_provider/secure_channel.py), and pull_topology now calls it.

Design note

The cert fields take PEM content via file config fields (the same convention as the GKE service-account field), which keeps the helper IO-free and fits Keep's secret handling. Happy to switch these to file paths instead if you prefer.

Tests

tests/test_cilium_secure_channel.py covers the insecure default, mutual TLS, server-only TLS, and TLS using the system trust store, asserting the exact gRPC credential calls:

$ pytest tests/test_cilium_secure_channel.py -q
4 passed

The test imports only the standalone helper (not the provider, which pulls the wider app), so it runs without the full backend. Verified fail-before/pass-after.

@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. Enhancement New feature or request Provider Providers related issues labels Jun 28, 2026
The Cilium provider connected to the Hubble relay over plaintext only
(grpc.insecure_channel), so it could not talk to a relay that requires TLS or
mutual TLS.

Add optional TLS via four auth-config fields: use_tls turns on a secure channel,
ca_certificate verifies the server (system trust store when omitted), and
client_certificate plus client_key enable mutual TLS. Default behavior is
unchanged. The channel construction is extracted into build_cilium_channel.

Closes keephq#4264
@aditya-786 aditya-786 force-pushed the feat/cilium-secure-connection branch from e9f3c07 to 9678dbb Compare June 28, 2026 08:16

@shahargl shahargl left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jun 29, 2026
@shahargl shahargl merged commit 98dbd7e into keephq:main Jun 29, 2026
14 of 16 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

🌟 You're on fire, @aditya-786! Three PRs merged and counting! 🔥🎉

Your consistent contributions are truly impressive. You're becoming a valued member of our community! 💖
Have you considered taking on some more challenging issues? We'd love to see what you can do! 💪

Remember, the team is always here to support you. Keep blazing that trail! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Enhancement New feature or request lgtm This PR has been approved by a maintainer Provider Providers related issues size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[➕ Feature]: Cilium provider secure connection

2 participants