Configure Kloudfuse Stack to Work with TLS Termination

You can configure the Kloudfuse stack to work on clusters that have TLS Termination, such as OKTA and AWS ACM.

Minimal Configuration

minimal configuration for TLS Termination

Skip to Configure TLS termination on AWS NLB using AWS Certificate Manager for detailed instructions on AWS Certificate Manager and AWS NLB for TLS termination.

  1. Add the following entries to the custom_values.yaml file:

    tls:
  enabled: false
  awsAcmEnabled: true

ingress-nginx:
  controller:
    service:
      targetPorts:
        https: http

  2. Update the third-party service that performs TLS Termination to point to the external IP of the kfuse-ingress-controller service.

Configure TLS termination on AWS NLB using AWS Certificate Manager

AWS supports configurations with TLS termination directly on the AWS NLB that backs the Kloudfuse ingress service.

Complete these tasks to fully configure TLS termination with AWS Certificate Manager.

Prerequisites

  • A DNS host name.

  • A certificate with this DNS host name, issued by the AWS Certificate Manager. See AWS documentation What is AWS Certificate Manager?.

  • Elastic IPs for the DNS host name for the ingress load balancer. To allocate IP addresses from AWS Elastic IP, see AWS documentation Elastic IP addresses.

Configure Helm Values

There are three options for configuring helm values:

Minimal configuration of nginx-ingress controller with ACM

minimal configuration for TLS Termination 
tls:
  enabled: false
  awsAcmEnabled: true

ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: <REPLACE ELASTIC IP ALLOCATION IDs HERE, comma separated>
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      external:
        enabled: true
      targetPorts:
        https: http

Configuration of nginx-ingress controller, enabling host based routing (Only External Load Balancer)

This configuration restricts the Kloudfuse access to the host specified in the configuration.

tls termination 2 
tls:
  enabled: false
  awsAcmEnabled: true
  host: <<External facing DNS host>>

ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: <REPLACE ELASTIC IP ALLOCATION IDs HERE, comma separated>
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      external:
        enabled: true
      targetPorts:
        https: http

Configuration of nginx-ingress controller, enabling host based routing (Both Internal and External Load Balancer)

This configuration restricts Kloudfuse access to the host (both internal and external) specified in the configuration.

  • The internal load balancer can be used only for the ingest path, ingesting MELT data.

  • The external load balancer is used only for the query path.

tls termination 3 
tls:
  enabled: false
  awsAcmEnabled: true
  host: <<External facing DNS host>>
  ingestInternalHost : <<Internal DNS host>>

ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: <REPLACE ELASTIC IP ALLOCATION IDs HERE, comma separated>
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      external:
        enabled: true
      targetPorts:
        https: http
      internal:
        enabled: true
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "true"
          service.beta.kubernetes.io/aws-load-balancer-type: nlb
          service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
        targetPorts:
          https: http

Configure the Load Balancer

You must configure the internal load balancer for sending agent data on an internal network.

To accomplish this, update the certificate for the external load balancer, and ensure that it contain the domain name for the internal load balancer. Update the DNS entries as required.

ACM only allows immediate subdomains, such as *.domain.com, or sibling domains, such as internal.domain.com. For example, if observability.domain.com hosts the Kloudfuse stack, you can route internal traffic to internal.observability.domain.com. The Certificate can contain both two domain names.

After resolving the ACM certificate, update the custom-values.yaml file’s ingress section for the internal controller.

Internal load balancer configuration in custom-values.yaml 
ingress-nginx:
  controller:
    service:
      annotations:
      <<< external annotations done before >>>
      external:
        enabled: true
      internal:
        enabled: true
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "true"
          service.beta.kubernetes.io/aws-load-balancer-type: nlb
          service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
        targetPorts:
          https: http