diff --git a/apigateway/helm/templates/_helper.tpl b/apigateway/helm/templates/_helper.tpl index 721d87f..9ab8056 100644 --- a/apigateway/helm/templates/_helper.tpl +++ b/apigateway/helm/templates/_helper.tpl @@ -37,6 +37,13 @@ Build the secret name for kibana user {{- default ( printf "%s%s" ( include "common.names.fullname" .) "-sag-user-kb" ) .Values.kibana.secretName }} {{- end }} +{{/* +Build the secret password for truststore for Kibana +*/}} +{{- define "apigateway.kibanatruststorepassword" -}} +{{- default (printf "%s%s" ( include "common.names.fullname" .) "-truststore-password-kb") .Values.kibana.tls.truststorePasswordSecret }} +{{- end }} + {{/* Build the secret name for keystore for Elasticsearch */}} diff --git a/apigateway/helm/templates/kibana.yaml b/apigateway/helm/templates/kibana.yaml index 1efdf57..5279499 100644 --- a/apigateway/helm/templates/kibana.yaml +++ b/apigateway/helm/templates/kibana.yaml @@ -38,7 +38,13 @@ spec: server.publicBaseUrl: https://{{ $defaultHost }}/apigatewayui/dashboardproxy server.basePath: /apigatewayui/dashboardproxy server.rewriteBasePath: false - + {{- if .Values.kibana.tls.enabled }} + elasticsearch.ssl.truststore.path: /usr/share/kibana/config/elasticsearch-certs/truststore.p12 + elasticsearch.ssl.truststore.password: "${KIBANA_TRUSTSTORE_PASSWORD}" + elasticsearch.ssl.verificationMode: {{ .Values.kibana.tls.verificationMode }} + {{- else }} + elasticsearch.ssl.verificationMode: none + {{- end }} http: tls: selfSignedCertificate: @@ -72,6 +78,15 @@ spec: initContainers: {{- toYaml .Values.kibana.extraInitContainers | nindent 8 }} {{- end }} + {{- if .Values.kibana.tls.enabled }} + volumes: + - name: elasticsearch-certs + secret: + secretName: {{ .Values.kibana.tls.secretName }} + items: + - key: {{ .Values.kibana.tls.trustStoreName }} + path: truststore.p12 + {{- end }} containers: - name: kibana resources: @@ -91,8 +106,20 @@ spec: secretKeyRef: name: {{ include "apigateway.kibanasecret" . }} key: password + - name: KIBANA_TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "apigateway.kibanatruststorepassword" . }} + key: password readinessProbe: httpGet: path: /status port: 5601 - scheme: HTTP \ No newline at end of file + scheme: HTTP + {{- if .Values.kibana.tls.enabled }} + volumeMounts: + - name: elasticsearch-certs + mountPath: /usr/share/kibana/config/elasticsearch-certs/truststore.p12 + subPath: truststore.p12 + readOnly: true + {{- end }} \ No newline at end of file diff --git a/apigateway/helm/values.yaml b/apigateway/helm/values.yaml index eb80d72..d54d680 100644 --- a/apigateway/helm/values.yaml +++ b/apigateway/helm/values.yaml @@ -650,6 +650,20 @@ kibana: # Requires create=true to work. roleName: "" + # -- Enable and configure tls connection from Kibana to Elasticsearch. + tls: + # -- Whether to enable tls connection from Kibana to Elasticsearch. + enabled: false + # -- Name of the k8s secret holding the p12 truststore for Kibana + secretName: "" + # -- File name of the p12 truststore for Kibana + trustStoreName: "" + # -- Name of the k8s secret containing the password for above p12 truststore in key 'password' + truststorePasswordSecret: dataport-truststore-p12-password + # -- TLS verification mode. Either 'none', 'certificate' or 'full'. Full includes hostname verification (service name must be in alt dns for it to work). + verificationMode: certificate + + # -- Elasticsearch exporter settings. See https://github.com/prometheus-community/elasticsearch_exporter for details. prometheus-elasticsearch-exporter: