v0.11.0-cee.1

See open source notes for details.

Enterprise Features

• Add support for flow aggregation. Run hubble observe --help to see the aggregation related flags and their associated help. This functionality is only available when interacting with Cilium Enterprise Hubble or Hubble Timescape.
• Add hubble logout to logout of an OIDC provider.
• Add a timeout to of 2 minutes to hubble login when using browser based authorization code flow.

v0.10.0-cee.2

See open source notes for details.

Bug fix

• hubble --version doesn't show the duplicated v prefix

v0.10.0-cee.1

See open source notes for details.

Enterprise Features

• hubble login now supports --token-file for specifying the path to an existing ID token to use for authentication.
• hubble login now always uses ID tokens for authentication. Previously it would use the access token.
• hubble login now lazily fetches credentials when an RPC is made, avoiding prompts when running commands which do not require credentials (eg; hubble --help).
• hubble login now supports the browser based Authorization code flow. This method is recommended over password based authentication as it has better security, and is more widely supported by OIDC providers.
• hubble login can be configured to request specific scopes using the --scopes flag.
• hubble login can manually refresh tokens using the --refresh flag if the login credentials contains a refresh token.
• hubble now supports specifying the OIDC issuer CA on all commands using the --issuer-ca flag. This is useful when connecting to an OIDC provider with a self-signed certificate.

Breaking changes

• When using authentication, TLS is now required. Previously it was optional when connecting to a unix socket or localhost. Users can still bypass TLS verification with --tls-allow-insecure, but --tls will be required.
• When using Okta, hubble now correctly uses the ID token for authentication to hubble-rbac instead of the Access Token. See the Hubble RBAC and Okta documentation for how to configure Okta, and hubble-rbac v1.1.0 release notes for details.

v0.10.0-cee.1.rc2

See open source notes for details.

Enterprise Features

• hubble login now supports --token-file for specifying the path to an existing ID token to use for authentication.
• hubble login now always uses ID tokens for authentication. Previously it would use the access token.
• hubble login now lazily fetches credentials when an RPC is made, avoiding prompts when running commands which do not require credentials (eg; hubble --help).
• hubble login now supports the browser based Authorization code flow. This method is recommended over password based authentication as it has better security, and is more widely supported by OIDC providers.
• hubble login can be configured to request specific scopes using the --scopes flag.
• hubble login can manually refresh tokens using the --refresh flag if the login credentials contains a refresh token.
• hubble now supports specifying the OIDC issuer CA on all commands using the --issuer-ca flag. This is useful when connecting to an OIDC provider with a self-signed certificate.

Breaking changes

• When using authentication, TLS is now required. Previously it was optional when connecting to a unix socket or localhost. Users can still bypass TLS verification with --tls-allow-insecure, but --tls will be required.
• When using Okta, hubble now correctly uses the ID token for authentication to hubble-rbac instead of the Access Token. See the Hubble RBAC and Okta documentation for how to configure Okta, and hubble-rbac v1.1.0 release notes for details.

v0.10.0-cee.1.rc1

See open source notes for details.

Enterprise Features

• hubble login now supports --token-file for specifying the path to an existing ID token to use for authentication.
• hubble login now always uses ID tokens for authentication. Previously it would use the access token.
• hubble login now lazily fetches credentials when an RPC is made, avoiding prompts when running commands which do not require credentials (eg; hubble --help).
• hubble login now supports the browser based Authorization code flow. This method is recommended over password based authentication as it has better security, and is more widely supported by OIDC providers.
• hubble login can be configured to request specific scopes using the --scopes flag.
• hubble login can skip refreshing tokens using the --refresh=false flag. This is useful when a user is requesting new scopes with the new --scope flag, as refresh tokens can only obtain new ID tokens with the scopes used to obtain the refresh token.
• hubble now supports specifying the OIDC issuer CA on all commands using the --issuer-ca flag. This is useful when connecting to an OIDC provider with a self-signed certificate.

Breaking changes

• When using authentication, TLS is now required. Previously it was optional when connecting to a unix socket or localhost. Users can still bypass TLS verification with --tls-allow-insecure, but --tls will be required.
• When using Okta, hubble now correctly uses the ID token for authentication to hubble-rbac instead of using the Access Token. See the Hubble RBAC and Okta documentation for how to configure Okta, and hubble-rbac v1.1.0 release notes for details.

v0.8.2-cee.2

See open source notes for details.

Enterprise Features

• fix for hubble login bug that does not initialize the config directory for storing client information for making oidc requests.

v0.8.2-cee.1

See open source notes for details.

Enterprise Features

• hubble login logs hubble into an OIDC provider. See enterprise documentation for details.

v0.7.1-cee.2

This release is based on OSS Hubble v0.7.1. Please see open source release notes for the list of upstream changes.

Enterprise Features

• Add --token-file flag to specify the path to a file that contains an authentication token to pass along when doing requests.