Adding SSL to Grafana and Accessing It from Anywhere - Kubernetes

Because of Grafana's dashboard tool, it will be useful to access from anywhere.  If you access it locally, it is easy to do a port forwarding to localhost and then access it locally.  However, what if you want to access it from outside the firewall?  In this case, you may want to add SSL certificate to the Grafana's external address so that the connection is secure.  I will explain how do add SSL to Grafana.
 
Basically, you will need to create a secret and add it to the ingress controller so that the controller can securly implement SSL.
 

728x90

---

Prerequisites

• Kubernetes environment
• Install kubernetes-helm
• SSL Certificate files
  • .crt & .key files
  • If you only have .pfx file and its password, you can easily find tools on the internet to generate .crt & .key files
• DNS URL address for Grafana to use
• Have the following installed already 
  • nginx ingress controller
  • Prometheus
  • Grafana
  • If you have not installed them, use the link below for easy installation with a persistent volume: 
    • https://ranku.tistory.com/180

Kubernetes : Persisting Grafana and Prometheus Configuration Data

 

반응형

---

1. Create SSL Secret

You will generate an SSL secret using .crt & .key files.  Also it will create the secret in the namespace called "default".

kubectl create secret tls <name of secret, without brackets> --cert <path/to/crt/file, without brackets> --key <path/to/key/file, without brackets>

---

2. Change Configuration of nginx ingress controller 

Open deployment yaml file for nginx ingress controller. Every eco-system has different ways to open the yaml file so you must find a way to do it on your system.  The screen below shows an example in Azure AKS.

Locating ingress-nginx-controller in Azure AKS

Locating YAML file for the ingress-nginx-controller in AKS

---

In the YAML file, you will add two lines of codes below on the section, spec > template > spec > containers > arg. This will add the secret you created earlier to the ingress-nginx-controller.

Locating the correct section to add SSL secret

- '--default-ssl-certificate=<the namespace where the secret is located, without brackets>/<name of secret, without brackets>'
- '--enable-ssl-passthrough=true'

---

3. Create an Ingress

Ingress assumes role in managing the rules of the ingress controller.  Below is a YAML code to generate a new ingress.

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: <name of ingress, without brackets>
  namespace: <the namespace of ingress - !!WARNING!!! this must be the same as the namespace of your nginx ingress controller, in order to for this ingress to communicate with the ingress controller, without brackets>
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - <DNS URL address of the Grafana - e.g. grafana.domain.com, without brackets>
      secretName: <name of the secret, without brackets>
  rules:
    - host: <DNS URL address of the Grafana - e.g. grafana.domain.com, without brackets>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: <name of Grafana service, without brackets>
                port:
                  number: <Service port of Grafana - e.g. 3000, without brackets>
status:
  loadBalancer: {}

---

Once all done, you will be able to access Grafana using the DNS URL address you specified in the YAML file, with SSL.

---