added kibana tls to es

SoftwareAG · Mar 21, 2024 · bb7fe4f · bb7fe4f
1 parent 455b74c
commit bb7fe4f
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 2 deletions.
diff --git a/apigateway/helm/templates/_helper.tpl b/apigateway/helm/templates/_helper.tpl
@@ -37,6 +37,13 @@ Build the secret name for kibana user
 {{- default ( printf "%s%s" ( include "common.names.fullname" .) "-sag-user-kb" )  .Values.kibana.secretName }}
 {{- end }}
 
+{{/*
+Build the secret password for truststore for Kibana
+*/}}
+{{- define "apigateway.kibanatruststorepassword" -}}
+{{- default (printf "%s%s" ( include "common.names.fullname" .) "-truststore-password-kb") .Values.kibana.tls.truststorePasswordSecret }}
+{{- end }}
+
 {{/*
 Build the secret name for keystore for Elasticsearch
 */}}

diff --git a/apigateway/helm/templates/kibana.yaml b/apigateway/helm/templates/kibana.yaml
@@ -38,7 +38,13 @@ spec:
     server.publicBaseUrl: https://{{ $defaultHost }}/apigatewayui/dashboardproxy
     server.basePath: /apigatewayui/dashboardproxy
     server.rewriteBasePath: false
-
+    {{- if .Values.kibana.tls.enabled }}
+    elasticsearch.ssl.truststore.path: /usr/share/kibana/config/elasticsearch-certs/truststore.p12
+    elasticsearch.ssl.truststore.password: "${KIBANA_TRUSTSTORE_PASSWORD}"
+    elasticsearch.ssl.verificationMode: {{ .Values.kibana.tls.verificationMode }}
+    {{- else }}
+    elasticsearch.ssl.verificationMode: none
+    {{- end }}
   http:
     tls:
       selfSignedCertificate:
@@ -72,6 +78,15 @@ spec:
       initContainers:
         {{- toYaml .Values.kibana.extraInitContainers | nindent 8 }}
       {{- end }}
+      {{- if .Values.kibana.tls.enabled }}
+      volumes:
+        - name: elasticsearch-certs
+          secret:
+            secretName: {{ .Values.kibana.tls.secretName }}
+            items:
+              - key: {{ .Values.kibana.tls.trustStoreName }}
+                path: truststore.p12
+      {{- end }}
       containers:
         - name: kibana
           resources:
@@ -91,8 +106,20 @@ spec:
                 secretKeyRef:
                   name: {{ include "apigateway.kibanasecret" . }}
                   key: password
+            - name: KIBANA_TRUSTSTORE_PASSWORD  
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "apigateway.kibanatruststorepassword" . }}
+                  key: password
           readinessProbe:
             httpGet:
               path: /status
               port: 5601
-              scheme: HTTP
+              scheme: HTTP
+          {{- if .Values.kibana.tls.enabled }}
+          volumeMounts:
+            - name: elasticsearch-certs
+              mountPath: /usr/share/kibana/config/elasticsearch-certs/truststore.p12
+              subPath:   truststore.p12
+              readOnly: true
+          {{- end }}
diff --git a/apigateway/helm/values.yaml b/apigateway/helm/values.yaml
@@ -650,6 +650,20 @@ kibana:
     # Requires create=true to work.
     roleName: ""
 
+  # -- Enable and configure tls connection from Kibana to Elasticsearch.
+  tls:
+    # -- Whether to enable tls connection from Kibana to Elasticsearch.
+    enabled: false
+    # -- Name of the k8s secret holding the p12 truststore for Kibana
+    secretName: ""
+    # -- File name of the p12 truststore for Kibana
+    trustStoreName: ""
+    # -- Name of the k8s secret containing the password for above p12 truststore in key 'password'
+    truststorePasswordSecret: dataport-truststore-p12-password
+    # -- TLS verification mode. Either 'none', 'certificate' or 'full'. Full includes hostname verification (service name must be in alt dns for it to work).
+    verificationMode: certificate
+
+
 # -- Elasticsearch exporter settings. See https://github.com/prometheus-community/elasticsearch_exporter for details.
 prometheus-elasticsearch-exporter: