K
Q

Run Graylog in a Kubernetes cluster behind a ingress controller with TLS encryption

3/26/2020

I'm currently setting up Graylog within my Kubernetes cluster as described here. I also want to encrypt the data traffic to my cluster using a NGINX reverse proxy as an ingress controller, so the controller is the only part of the cluster that needs to care about https and my actual application doesn't. This is my ingress.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  namespace: my-namespace
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
spec:
  tls:
  - hosts:
    - my-app.com
    secretName: my-certificat
  rules:
  - host: my-app.com
    http:
      paths:
      - backend:
          serviceName: some-service
          servicePort: 8092
        path: /api/v1.0/(.*)
      - backend:
          serviceName: graylog3
          servicePort: 9000
        path: /api/(.*)
      - backend:
          serviceName: graylog3
          servicePort: 9000
        path: /graylog/(.*)
      - backend:
          serviceName: some-other-service
          servicePort: 15672
        path: /something/(.*)
      - backend:
          serviceName: my-app
          servicePort: 80
        path: /(.*)

When I try to access the Graylog Web Interface at my-app.com/graylog/ I get a lot of mixed content warnings when the browser tries to load the scripts required by Graylog's index.html which seems to indicate a http/https problem. I followed these instructions to convert my self-signed certificate into the required format, added it to my JVM Trust Store and also created a tls secret within my cluster, but it still doesn't work.

The page says:

The resulting graylog-certificate.pem and graylog-key.pem can be used in the Graylog configuration file.

But I don't have a Graylog configuration file, only .yaml files and I don't know where to put the newly created certificate/secret in order for Graylog to recognize them.

Update:

So I figured out how to bring the NGINX configuration file to Kubernetes. Here it is:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-conf
  namespace: my-namespace
data:
  nginx.conf: |
    http {
      include conf/mime.types;
      include /etc/nginx/mime.types;

      server {
        listen      443 ssl http2;
        server_name my-app.com;
        ssl_certificate /etc/nginx/ssl/my-secret.crt;
        ssl_certificate_key /etc/nginx/ssl/my-secret.key;

        location /graylog/
        {
          proxy_set_header Host $http_host;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Graylog-Server-URL https://$server_name/graylog/;
          rewrite          ^/graylog/(.*)$  /$1  break;
          proxy_pass       http://graylog3:9000;
        }
      }
    }

I do not get any mixed content warnings anymore, so that seems to have worked, but now I'm getting MIME-type errors, saying that instead of the desired JavaScript files the browser got HTML in return. Following the route to one of the scripts leads back to Graylogs index.html, so my assumption is that there is an error in the request path which causes the request beeing directed to the landing page as a default behaviour.

The GRAYLOG_HTTP_EXTERNAL_URI in my graylog.yaml is:

https://my.com/graylog/
-- TigersEye120
graylog
kubernetes
nginx-ingress
ssl

Similar Questions

Recreate Pod managed by a StatefulSet with a fresh PersistentVolume
Ansible K8s module: Failed to import the required Python library (openshift) on Python /usr/bin/python3
Dynamically Creating K8s (AKS) Namespaces for Every Branch/Pull Request in GitLab via jenkins
Can't see my app on browser deploying with Kubernetes

0 Answers