Grafana is the most popular web-based tool for creating dashboard and alerts. Tools like Kubernetes and Helm have made it possible to deploy Grafana with only a few commands if have the existing infrastructure for launching Docker containers. However, the documentation and tutorials for setting up Grafana almost always skip over how to secure the web-based front end using SSL encryption.
Grafana是用于创建仪表板和警报的最流行的基于Web的工具。 如果拥有现有的启动Docker容器的基础架构, Kubernetes和Helm之类的工具就可以仅使用少量命令来部署Grafana。 但是,用于设置Grafana的文档和教程几乎总是跳过如何使用SSL加密保护基于Web的前端的方法。
Before Let’s Encrypt, it was tedious and expensive to add SSL encryption to a website. Let’s Encrypt’s APIs have made it simple (automated) and free to deploy SSL encryption, so there is no reason not to SSL encrypt your web-based applications, even if you are just in the testing phase.
在进行“加密”之前,向网站添加SSL加密既繁琐又昂贵。 让我们的Encrypt的API变得简单(自动)并且可以自由地部署SSL加密,因此即使您正处于测试阶段,也没有理由不对基于Web的应用程序进行SSL加密。
In this post, I will show you how to setup Free SSL certificates with automated renewals using cert-manager and Let’s Encrypt for Grafana deployed on Kubernetes using Helm (version 3).
在这篇文章中,我将向您展示如何使用cert-manager设置自动续订的免费 SSL证书 ,以及如何使用Helm(版本3)在Kubernetes上部署Let's Encrypt for Grafana。
This example will use the NGINX Ingress Controller for the Kubernetes Ingress resource. I will not be going into very much detail in this post on how to configure the NGINX Ingress Controller, you can find those details here. This deploying SSL certificates with cert-manager doesn’t require any specific configuration for the NGINX Ingress Controller, so we can just use the default Helm Chart values.
本示例将使用NGINX入口控制器作为Kubernetes入口资源。 在这篇关于如何配置NGINX Ingress Controller的文章中,我不会做太多详细的介绍,您可以在此处找到这些细节。 通过cert-manager部署SSL证书不需要为NGINX Ingress Controller进行任何特定配置,因此我们可以使用默认的Helm Chart值。
First, create namespace for the deploying nginx-ingress Helm Chart:
首先,为部署的nginx-ingress Helm Chart创建名称空间:
kubectl create namespace nginx-ingressThen install the nginx-ingress Helm Chart:
然后安装nginx-ingress Helm Chart:
helm install nginx-ingress stable/nginx-ingress --namespace nginx-ingressIf everything was done correctly, when you get the services for the nginx-ingress namespace, you should see the EXTERNAL-IP address listed for the nginx-ingess-contoller service.
如果一切都正确完成,那么当您获得用于nginx-ingress名称空间的服务时,您应该会看到为nginx-ingess-contoller服务列出的EXTERNAL-IP地址。
$ kubectl -n nginx-ingress get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-controller LoadBalancer 10.233.51.219 XXX.XXX.XXX.XXX 80:30816/TCP,443:31905/TCP 49s
nginx-ingress-default-backend ClusterIP 10.233.27.227 <none> 80/TCP 49sI highly recommend creating a hostname for Grafana before installing any additional Helm Charts. See your domain registrar’s documentation for how to do this. In this post I will use pretend that I own the example.com domain name and that I created the grafana.example.com hostname and mapped it to the EXTERNAL-IP address from the above step. A hostname for the SSL certificate will be necessary when configuring the prometheus-operator Helm Chart.
我强烈建议在安装任何其他Helm Charts之前为Grafana创建一个主机名。 请参阅您的域名注册商的文档以了解操作方法。 在本文中,我将假装自己拥有example.com域名,并创建了grafana.example.com主机名,并将其映射到上述步骤中的EXTERNAL-IP地址。 配置prometheus-operator Helm Chart时,必须使用SSL证书的主机名。
After Nginx Ingress is running, we need to install cert-manager in order to issue Let’s Encrypt SSL certificates. Click here for full cert-manager install instructions. The following instructions will cover installing cert-manager version 0.15.2 with the Let’s Encrypt ClusterIssuer.
在Nginx Ingress运行之后,我们需要安装cert-manager以便颁发“让我们加密SSL”证书。 单击此处以获取完整的证书管理器安装说明。 以下说明将介绍使用“让我们加密ClusterIssuer”安装cert-manager版本0.15.2。
First, create a Kubernetes namespace for deploying the cert-manager Helm Chart:
首先,创建一个Kubernetes命名空间来部署cert-manager Helm Chart:
kubectl create namespace cert-managerAdd the cert-manager Helm repository:
添加cert-manager Helm存储库:
helm repo add jetstack https://charts.jetstack.io
helm repo updateInstall the cert-manager Helm Chart with the default values:
使用默认值安装cert-manager Helm Chart:
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.15.2 --set installCRDs=trueVerify that cert-manager has started and the status of the pods is Running:
验证证书管理器已启动,并且窗格的状态为“正在运行”:
$ kubectl -n cert-manager get po
NAME READY STATUS RESTARTS AGE
cert-manager-749df5b4f8-r5tqm 1/1 Running 0 49s
cert-manager-cainjector-67b7c65dff-t6hmj 1/1 Running 0 49s
cert-manager-webhook-7d5d8f856b-rccxp 1/1 Running 0 49sOnce cert-manager is running, we need to create the ClusterIssuer resource for Let’s Encrypt. Create a file named cluster-issuer-prod.yaml and add the following, remember to replace your-email@addresss.com with your E-mail address:
一旦cert-manager运行,我们需要为Let's Encrypt创建ClusterIssuer资源。 创建一个名为cluster-issuer-prod.yaml的文件并添加以下内容,切记用您的电子邮件地址替换your-email@addresss.com :
---
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: your-email@address.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource used to store the account's private key.
name: letsencrypt-prod
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginxIf you are testing you may want to use the staging server https://acme-staging-v02.api.letsencrypt.org/directory instead of the production server so you don’t run into any of the certificate request limitations when you are ready for production. Let’s Encrypt’s staging server doesn’t have the same API limitations as the production server, but it doesn’t issue valid SSL certificates.
如果要进行测试,则可能要使用登台服务器https://acme-staging-v02.api.letsencrypt.org/directory而不是生产服务器,这样您在使用时就不会遇到任何证书申请限制准备生产。 让我们加密的登台服务器与生产服务器没有相同的API限制,但它不会颁发有效的SSL证书。
Finally, apply the Let’s Encrypt ClusterIssuer:
最后,应用“让我们加密ClusterIssuer”:
kubectl apply -f cluster-issuer-prod.yamlNow cert-manager is ready to start issuing Let’s Encrypt SSL certificates for any NGINX Ingress Controller backed ingress resources on your Kubernetes Cluster.
现在,cert-manager准备开始为Kubernetes集群上的任何NGINX Ingress Controller支持的入口资源发行“让我们加密SSL证书”。
Now we will install the Grafana or Prometheus-Operator Helm Chart. This example will install the Prometheus-Operator Helm Chart, but the values.yml file for both the Grafana portions are the same.
现在,我们将安装Grafana或Prometheus-Operator Helm Chart。 本示例将安装Prometheus-Operator Helm Chart,但两个Grafana部分的values.yml文件相同。
Again the first step is to create a Kubernetes namespace for deploying the prometheus-operator Helm Chart:
同样,第一步是创建一个Kubernetes命名空间,用于部署prometheus-operator Helm Chart:
kubectl create namespace promNow we need to configure the ingress values for Grafana in the Helm Chart’s values.yml. The complete configuration options are available on the prometheus-operator Helm Chart GitHub repository.
现在,我们需要在Helm Chart的values.yml配置Grafana的入口值。 完整的配置选项可在prometheus-operator Helm Chart GitHub存储库上找到 。
For the annotations, we want to specify that nginx is used for the ingress and that letsencrypt-prod is used for the cluster-issuer. Then we want to specify the host to use for the ingress and the tls host (SSL certificate common name), in most cases they will be the same. Below is an example of the grafana portion of my values.yml for the prometheus-operator Helm Chart:
对于注解,我们要指定将nginx用于入口,将letsencrypt-prod用于cluster-issuer 。 然后,我们要指定用于入口的主机和tls主机(SSL证书通用名称),在大多数情况下它们是相同的。 以下是prometheus-operator Helm Chart的my values.yml的grafana部分的示例:
## Using default values from https://github.com/helm/charts/blob/master/stable/grafana/values.yaml
##grafana:
enabled: true
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
hosts:
- grafana.example.com
tls:
- hosts:
- grafana.example.com
secretName: grafana-tlsWe can install the prometheus-operator Helm Chart once the values.yml file has been configured:
一旦配置了values.yml文件,我们就可以安装prometheus-operator Helm Chart:
helm install prom stable/prometheus-operator -f values.yaml --namespace promVerify the prom-grafana pod is running (it make take a few minutes to get running):
验证prom-grafana pod是否正在运行(需要花几分钟时间才能运行):
$ kubectl -n prom get po
NAME READY STATUS RESTARTS AGE
prom-grafana-798b7b89bf-rnbpt 2/2 Running 0 10s
prom-kube-state-metrics-568dc84666-z5vm6 1/1 Running 0 10s
prom-prometheus-node-exporter-88h4k 1/1 Running 0 10s
prom-prometheus-operator-operator-67d764bff6-j99jm 2/2 Running 0 56s
prometheus-prom-prometheus-operator-prometheus-0 3/3 Running 0 56sFinally, you can view the status of the grafana-tls certificate. The ca.crt will be 0 bytes, but the tls.crt and tls.key should be greater than 0 bytes. If there is an error, the error message should show up here:
最后,您可以查看grafana-tls证书的状态。 ca.crt将为0字节,但tls.crt和tls.key应大于0字节。 如果有错误,错误消息应该显示在这里:
$ kubectl -n prom describe secret grafana-tls
Name: grafana-tls
Namespace: prom
Labels: <none>
Annotations: cert-manager.io/alt-names: grafana.example.com
cert-manager.io/certificate-name: grafana-tls
cert-manager.io/common-name: grafana.example.com
cert-manager.io/ip-sans:
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-prod
cert-manager.io/uri-sans:Type: kubernetes.io/tlsData
====
ca.crt: 0 bytes
tls.crt: 3574 bytes
tls.key: 1671 bytesNow you can go to https://grafana.example.com and it should be secured by a free valid SSL certficiate. That is it. As long as the cert-manager is running you don’t have to do anything, ever! cert-manager should automatically renew Let’s Encrypt SSL certificates without any user interaction every month.
现在,您可以转到https://grafana.example.com,它应该由免费的有效SSL证书保护。 这就对了。 只要证书管理器正在运行,您就无需做任何事情! cert-manager应该每月自动续订Let's Encrypt SSL证书,而无需任何用户交互。
106
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
