HTTPS/TLS Setup

The Kloudfuse Helm chart supports two options for setting up HTTPS/TLS:

If you enable TLS, you must update Grafana settings for alerts. See Grafana Configuration with TLS.

HTTPS Configuration

Prerequisites

  • A DNS name.

  • A static external IP address, associated with the DNS host name

    Reserve a static external IP.

    See Google documentation on how to Configure static external IP addresses.

  • A certificate, either a new SSL certificate created as part of Kloudfuse installation, or an existing SSL certificate.

    New Certificate

    If the SSL certificate is created as part of Kloudfuse installation, then cert-manager using lets-encrypt creates the Certificate. Ihe cert-manager must be installed already in the Kubernetes cluster. See cert-manager documentation on Installation.

    tls ingress 1
    Create certificate during install
    helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --create-namespace --namespace kfuse --version v1.7.1 --set installCRDs=true
    yml
    Existing Certificate

    Create a Kubernetes secret of type TLS, with server.crt and server.key files (SSL certificates).

    tls ingress 2
    Use an existing certificate
    kubectl create secret tls kfuse-tls --namespace kfuse --key server.key --cert server.crt
    yaml

Configure Helm Values

Depending on the cloud provider, ingress type, and certificate method, add the following entries in the custom_values.yaml file:

For migrating from ingress-nginx to Envoy Gateway, see Configure Envoy Ingress.

tls:
  enabled: true
  host: <REPLACE DNS HOST HERE>
  email: <REPLACE EMAIL>
  clusterIssuer: <PROVIDE A CLUSTER ISSUER NAME>

envoy-gateway:
  enabled: true
  installGatewayRoutes: true
  envoyService:
    patch:
      loadBalancerIP: <REPLACE PRE-ALLOCATED STATIC IP HERE>
    external:
      enabled: true

ingress-nginx:
  enabled: false
  installIngressRules: false
yaml

Disable HTTP Traffic

  1. This step disables HTTP traffic on both internal and external ingress. Use the following if you plan to disable HTTP and not use internal ingress.

  2. You must enable http traffic for letsencrypt to generate certificate during installation.

  3. Use either an externally-provided certificate (acm, and so on), or disable http traffic after generating a tls certificate.

If you plan to disable HTTP traffic completely:

envoy-gateway:
  enableHttp: false
yaml

TLS Termination

You can configure the Kloudfuse stack to work on clusters that have TLS Termination, such as OKTA and AWS ACM.

Minimal Configuration

minimal configuration for TLS Termination

Skip to Configure TLS Termination on AWS NLB Using AWS Certificate Manager for detailed instructions on AWS Certificate Manager and AWS NLB for TLS termination.

Add the following entries to the custom_values.yaml file:

With Envoy Gateway, TLS termination at the load balancer (e.g., AWS ACM) is configured via the tls.awsAcmEnabled flag and envoy service annotations:

tls:
  enabled: false
  awsAcmEnabled: true
  host: <REPLACE DNS HOST HERE>

envoy-gateway:
  enabled: true
  installGatewayRoutes: true
  envoyService:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <ACM_CERTIFICATE_ARN>
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    external:
      enabled: true

ingress-nginx:
  enabled: false
  installIngressRules: false
yaml
When tls.awsAcmEnabled is true, the Gateway listener uses protocol HTTP on port 443 so Envoy handles it natively. No targetPorts override is needed (unlike ingress-nginx).

Configure TLS Termination on AWS NLB Using AWS Certificate Manager

AWS supports configurations with TLS termination directly on the AWS NLB that backs the Kloudfuse ingress service.

Complete these tasks to fully configure TLS termination with AWS Certificate Manager (ACM)

Prerequisites

Configure with Helm

There are three options for configuring Helm values:

Minimal configuration with ACM

minimal configuration for TLS Termination 
tls:
  enabled: false
  awsAcmEnabled: true

ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: <REPLACE ELASTIC IP ALLOCATION IDs HERE, comma separated>
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      external:
        enabled: true
      targetPorts:
        https: http
yaml

Host-based routing (External Load Balancer only)

This configuration restricts Kloudfuse access to the hostname specified in the configuration.

tls termination 2 
tls:
  enabled: false
  awsAcmEnabled: true
  host: <<External facing DNS host>>

ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: <REPLACE ELASTIC IP ALLOCATION IDs HERE, comma separated>
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      external:
        enabled: true
      targetPorts:
        https: http
yaml

Host-based routing (Internal and External Load Balancers)

This configuration restricts Kloudfuse access to the specified hostnames on both internal and external load balancers.

  • The internal load balancer handles the ingest path for MELT data.

  • The external load balancer handles the query path.

tls termination 3 
tls:
  enabled: false
  awsAcmEnabled: true
  host: <<External facing DNS host>>
  ingestInternalHost: <<Internal DNS host>>

ingress-nginx:
  controller:
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: <REPLACE ELASTIC IP ALLOCATION IDs HERE, comma separated>
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      external:
        enabled: true
      targetPorts:
        https: http
      internal:
        enabled: true
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "true"
          service.beta.kubernetes.io/aws-load-balancer-type: nlb
          service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
        targetPorts:
          https: http
yaml

Load Balancer

You must configure the internal load balancer to send agent data over an internal network.

Update the certificate for the external load balancer to ensure it contains the domain name for the internal load balancer, then update DNS entries as required.

ACM only allows wildcard subdomains, such as *.domain.com, or sibling domains, such as internal.domain.com. For example, if observability.domain.com hosts the Kloudfuse stack, you can route internal traffic to internal.observability.domain.com. The certificate can cover both domain names.

After provisioning the ACM certificate, update the custom-values.yaml file’s ingress section for the internal controller.

Internal load balancer configuration in custom-values.yaml 
ingress-nginx:
  controller:
    service:
      annotations:
        # ... see external annotations above
      external:
        enabled: true
      internal:
        enabled: true
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: "true"
          service.beta.kubernetes.io/aws-load-balancer-type: nlb
          service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<REPLACE AWS ACM CERTIFICATE ARN HERE>"
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
        targetPorts:
          https: http
yaml