Fix #44: Securing access to Kibana

ricsanfre · Mar 22, 2022 · 760c9ed · 760c9ed
1 parent 2014c59
commit 760c9ed
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 16 deletions.
diff --git a/docs/_docs/logging.md b/docs/_docs/logging.md
@@ -181,7 +181,6 @@ This can be useful for example if elasticsearh database have to be used to monit
 
 - Step 1. Create the ingress rule manifest
 
-
   ```yml
   ---
   # HTTPS Ingress
@@ -319,26 +318,63 @@ Make accesible Kibana UI from outside the cluster through Ingress Controller
 - Step 1. Create the ingress rule manifest
 
   ```yml
+  ---
+  # HTTPS Ingress
   apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: kibana-ingress
     namespace: k3s-logging
     annotations:
-      kubernetes.io/ingress.class: traefik
+      # HTTPS as entry point
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      # Enable TLS
+      traefik.ingress.kubernetes.io/router.tls: "true"
+      # Enable cert-manager to create automatically the SSL certificate and store in Secret
+      cert-manager.io/cluster-issuer: ca-issuer
+      cert-manager.io/common-name: kibana.picluster.ricsanfre.com
   spec:
+    tls:
+      - hosts:
+          - kibana.picluster.ricsanfre.com
+        secretName: kibana-tls
     rules:
-    - host: kibana.picluster.ricsanfre.com
-      http:
-        paths:
-        - path: /
-          pathType: Prefix
-          backend:
-            service:
-              name: "efk-kb-http"
-              port:
-                number: 5601
+      - host: kibana.picluster.ricsanfre.com
+        http:
+          paths:
+            - path: /
+              pathType: Prefix
+              backend:
+                service:
+                  name: efk-kb-http
+                  port:
+                    number: 5601
+  ---
+  # http ingress for http->https redirection
+  kind: Ingress
+  apiVersion: networking.k8s.io/v1
+  metadata:
+    name: kibana-redirect
+    namespace: k3s-logging
+    annotations:
+      # Use redirect Midleware configured
+      traefik.ingress.kubernetes.io/router.middlewares: traefik-system-redirect@kubernetescrd
+      # HTTP as entrypoint
+      traefik.ingress.kubernetes.io/router.entrypoints: web
+  spec:
+    rules:
+      - host: kibana.picluster.ricsanfre.com
+        http:
+          paths:
+            - path: /
+              pathType: Prefix
+              backend:
+                service:
+                  name: efk-kb-http
+                  port:
+                    number: 5601
   ```
+
 - Step 2: Apply manifest
   ```shell
   kubectl apply -f manifest.yml

diff --git a/roles/logging/k3s/templates/kibana_ingress.yml.j2 b/roles/logging/k3s/templates/kibana_ingress.yml.j2
@@ -1,20 +1,56 @@
 ---
+# HTTPS Ingress
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: kibana-ingress
-  namespace: k3s-logging
+  namespace: {{ k3s_logging_namespace }}
   annotations:
-    kubernetes.io/ingress.class: traefik
+    # HTTPS as entry point
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    # Enable TLS
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # Enable cert-manager to create automatically the SSL certificate and store in Secret
+    cert-manager.io/cluster-issuer: ca-issuer
+    cert-manager.io/common-name: {{ kibana_dashboard_dns }}
 spec:
+  tls:
+    - hosts:
+        - {{ kibana_dashboard_dns }}
+      secretName: kibana-tls
   rules:
-    - host: {{ kibana_dashboard_dns }}
+    - host: {{ kibana_dashboard_dns  }}
       http:
         paths:
           - path: /
             pathType: Prefix
             backend:
               service:
-                name: "{{ efk_cluster_name }}-kb-http"
+                name: {{ efk_cluster_name }}-kb-http
+                port:
+                  number: 5601
+
+---
+# http ingress for http->https redirection
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: kibana-redirect
+  namespace: {{ k3s_logging_namespace }}
+  annotations:
+    # Use redirect Midleware configured
+    traefik.ingress.kubernetes.io/router.middlewares: {{ k3s_traefik_namespace }}-redirect@kubernetescrd
+    # HTTP as entrypoint
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - host: {{ kibana_dashboard_dns  }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ efk_cluster_name }}-kb-http
                 port:
                   number: 5601