grafana / helm-charts

Apache License 2.0
1.67k stars 2.29k forks source link

ELB Https configuration #1251

Open araufdogan opened 2 years ago

araufdogan commented 2 years ago

Hello,

I'm trying to install grafana with https mode but ingress annotations not working. My values.yaml file is;

adminPassword: "123456"

persistence:
  enabled: true
  storageClassName: gp2

ingress:
  enabled: true
  ingressClassName: domain-class-name
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:...."
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
    nginx.ingress.kubernetes.io/whitelist-source-range: "whitelistip/32"
  labels: {}
  path: /

  pathType: Prefix

  hosts:
    - subdomain.domain.com
  extraPaths: []

datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
    - name: Prometheus
      type: prometheus
      url: http://prometheus-server.prometheus.svc.cluster.local
      access: proxy
      isDefault: true

service:
  enabled: true
  type: LoadBalancer

I'm installing grafana with the command;

helm install grafana grafana/grafana --namespace grafana -f values.yaml

It creates elb but there is no https configuration and whitelist-source-range. Where do I'm wrong?

Thank you.

oflouis commented 2 years ago

@araufdogan You could set the grafana service to create AWS ELB and should expose a port for HTTPS. like this,

grafana:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:....'
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443'
    type: LoadBalancer
  extraExposePorts:
    - name: https
      port: 443
      targetPort: 3000

I hope this comments you a little. (my snippets : https://gist.github.com/oflouis/421443c6d5b608f80d291171452a41d5)

sslny57 commented 5 months ago

##
################################################################################################################

service:
  enabled: true
  type: LoadBalancer
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:851465799644:certificate/f1"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-protocol: "HTTPS"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-0bxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "grafana-service=true"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "tcp"
  labels: {}
  ports:
    - name: http
      port: 80
      targetPort: 3000
      protocol: TCP
    - name: https
      port: 443
      targetPort: 3000
      protocol: TCP

extraExposePorts:
  - name: https
    port: 443
    targetPort: 3000

healthCheck:
  path: "/"  # Health check path for ALB to monitor Grafana health
  intervalSeconds: 10
  timeoutSeconds: 5
  unhealthyThresholdCount: 6
  healthyThresholdCount: 2

externalTrafficPolicy: Cluster  # Use Cluster to preserve client source IP

This worked for me. Hopefully, it will be helpful to someone.