Secure ingress path for Grafana and Kibana

The change enables TLS for the ingress path of Grafana and Kibana. Change-Id: I1bca5a3d78421873bff275d315ec0cca6682a498
2021-05-05 14:53:12 -07:00 · 2021-05-05 14:53:12 -07:00 · 181cbf5599
commit 181cbf5599
parent 31932af08c
8 changed files with 30 additions and 4 deletions
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.3.6
 description: OpenStack-Helm Grafana
 name: grafana
-version: 0.1.5
+version: 0.1.6
 home: https://grafana.com/
 sources:
  - https://github.com/grafana/grafana
--- a/grafana/templates/ingress-grafana.yaml
+++ b/grafana/templates/ingress-grafana.yaml
@ -13,6 +13,10 @@ limitations under the License.
 */}}

 {{- if and .Values.manifests.ingress .Values.network.grafana.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.grafana.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
--- a/grafana/values_overrides/tls.yaml
+++ b/grafana/values_overrides/tls.yaml
@ -26,6 +26,14 @@ conf:
            basicAuthPassword: {{ .Values.endpoints.monitoring.auth.user.password }}
            tlsCACert: $CACERT
          url: {{ $prom_uri }}
+endpoints:
+  grafana:
+    host_fqdn_override:
+      default:
+        tls:
+          issuerRef:
+            name: ca-issuer
+            kind: ClusterIssuer
 manifests:
  certificates: true
 ...
--- a/kibana/Chart.yaml
+++ b/kibana/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.1.0
 description: OpenStack-Helm Kibana
 name: kibana
-version: 0.1.3
+version: 0.1.4
 home: https://www.elastic.co/products/kibana
 sources:
  - https://github.com/elastic/kibana
--- a/kibana/templates/ingress-kibana.yaml
+++ b/kibana/templates/ingress-kibana.yaml
@ -12,7 +12,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

+
 {{- if and .Values.manifests.ingress .Values.network.kibana.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendService" "kibana" "backendServiceType" "kibana" "backendPort" "http" -}}
+{{- $envAll := . -}}
+{{- $ingressOpts := dict "envAll" $envAll "backendService" "kibana" "backendServiceType" "kibana" "backendPort" "http" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.kibana.host_fqdn_override.default.tls.issuerRef.name -}}
+{{- end -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
--- a/kibana/values_overrides/tls.yaml
+++ b/kibana/values_overrides/tls.yaml
@ -12,6 +12,13 @@ endpoints:
    port:
      http:
        default: 443
+  kibana:
+    host_fqdn_override:
+      default:
+        tls:
+          issuerRef:
+            name: ca-issuer
+            kind: ClusterIssue
 manifests:
  certificates: true
 ...
--- a/releasenotes/notes/grafana.yaml
+++ b/releasenotes/notes/grafana.yaml
@ -6,4 +6,5 @@ grafana:
  - 0.1.3 Provision any dashboard as homepage
  - 0.1.4 Enable TLS for Grafana
  - 0.1.5 Enable TLS between Grafana and Prometheus
+  - 0.1.6 Enable TLS for Grafana ingress path
 ...
--- a/releasenotes/notes/kibana.yaml
+++ b/releasenotes/notes/kibana.yaml
@ -4,4 +4,5 @@ kibana:
  - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
  - 0.1.2 Drop usage of fsGroup inside container
  - 0.1.3 Enable TLS with Elasticsearch
+  - 0.1.4 Enable TLS for Kibana ingress path
 ...