Grafana - Kubernetes TLS

Grafana Installation
1

Trying to set up Grafana on Minikube with SSL/TLS keeping getting

server.go:3160: http: TLS handshake error from 172.17.0.1:54824: EOF
server.go:3160: http: TLS handshake error from 172.17.0.1:54826: EOF
etc..

I created a Kubernetes TLS secret

kubectl create secret tls grafana-tls --key ./sslcerts/serverKey.pem --cert ./sslcerts/serverCert.crt --namespace grafana

Created a Config Map that uses the certificate

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-ini
  namespace: grafana
data:
  grafana.ini: |
    [server]
      protocol = https
      http_port = 3000
      cert_file=/etc/grafana/certs/tls.crt
      cert_key=/etc/grafana/certs/tls.key

Then the Grafana deployment that uses the TLS certs via volume mounts

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: grafana-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: grafana
  name: grafana
spec:
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
        supplementalGroups:
          - 0
      containers:
        - name: grafana
          image: grafana/grafana:8.4.5
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: http-grafana
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /robots.txt
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: 3000
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 250m
              memory: 750Mi
            limits:
              cpu: 750m
              memory: 1048Mi
          volumeMounts:
            - name: grafana-pv
              mountPath: /var/lib/grafana
            - name: grafana-config
              mountPath: /etc/grafana
            - name: grafana-certs
              mountPath: /etc/grafana/certs/
              readOnly: true
      volumes:
        - name: grafana-pv
          persistentVolumeClaim:
            claimName: grafana-pvc
        - name: grafana-config
          configMap:
            name: grafana-ini
        - name: grafana-certs
          secret:
            secretName: grafana-tls
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
---
apiVersion: v1
kind: Service
metadata:
  name: grafana
spec:
  ports:
    - port: 443
      targetPort: 3000
      protocol: TCP
  selector:
    app: grafana
  sessionAffinity: None
  type: NodePort

Yes it works fine with no TLS however with the TLS certs get the continuous
server.go:3160: http: TLS handshake error from 172.17.0.1:54824: EOF
errors in the log file.

most of the examples are http://localhost but that is not how it would be use in the real world.

It does have good potential but hard to convince decision makers if its not usable in a production set up.

I tried the Ingress Route that has its own problems.

Its a good software but cannot get it to run on Kubernetes with Ingress Controller its a shame that all examples in the documentation point to installing it on windows, linux or mac and even docker but no clear documentation on how this will run on Kubernetes very shameful.

2

Have you tried deploying your setup to a K8s cluster on a cloud platform like GKE? Just curious if you can isolate the problem with minikube…

3

Thank you @mattabrams

Have not tried on a Cloud Provider, did some more reading and have it working end to end on minikube

I will try on AKS, EKS next.