Skip to main content

Secure SigNoz in Kubernetes using Ingress-NGINX and Cert-Manager

Overview

Setting up SSL/TLS certificates is essential to secure traffic over the internet. In this guide, you will configure HTTPS for Kubernetes Ingress using ingress-Nginx and cert-manager to secure SigNoz UI and SigNoz OpenTelemetry Collector endpoints.

Prerequisites

  • Helm version 3.8 or above
  • SigNoz helm chart version 0.4.3 or above

Steps to Secure SigNoz

Follow the steps below to configure SSL/TLS certificates for the domain, let's say signoz.domain.com.

info

Please update domain.com in the tutorial with either your company domain or something relevant.

Enable Cert-Manager

You can enable the cert-manager dependency chart by setting cert-manager.enabled to true. Also, set installCRDs to true for the first time to install CRDs required by the cert-manager.

Let's include it in the existing override-values.yaml file, create one if not present:

cert-manager:
enabled: true
installCRDs: true

(Optional) You can also include namespace: security in above YAML configuration to install cert-manager in security namespace instead of the Helm release namespace.

kubectl create namespace security

To install or upgrade SigNoz release with the updated configurations in override-values.yaml:

helm -n platform upgrade \
--create-namespace --install \
my-release signoz/signoz \
-f override-values.yaml

Enable Nginx Ingress Controller

You can enable the Nginx ingress controller by setting ingress-nginx.enabled configuration to true.

Let's include it in the existing override-values.yaml file:

ingress-nginx:
enabled: true

To upgrade SigNoz release with the updated configurations in override-values.yaml:

helm -n platform upgrade \
--create-namespace --install \
my-release signoz/signoz \
-f override-values.yaml

Now, you will need the external IP of the Ingress Nginx Controller. That value will either be the IP address itself or a publicly accessible URL provided by the cloud vendor.

To obtain the external IP of the ingress Nginx controller:

kubectl get services --namespace platform | grep "ingress-nginx-controller"

Output should be similar to the following:

my-release-ingress-nginx-controller             LoadBalancer   10.100.233.79    <redacted>-<redacted>.<redacted>.elb.amazonaws.com   80:31050/TCP,443:30597/TCP   74m
my-release-ingress-nginx-controller-admission ClusterIP 10.100.230.14 <none> 443/TCP 74m

In your domain management website, you should create a DNS custom record of type A pointing all required domains to the external IP address.

In our example output, you can see <redacted>-<redacted>.<redacted>.elb.amazonaws.com which is a publicly accessible sub-domain provided by a cloud vendor. In this case, you should create a DNS custom record of type CNAME for all required domains.

info

Before proceeding further, make sure that domains resolve to the ingress Nginx controller.

Create Cluster Issuer

ClusterIssuer is a Kubernetes resource that represents certificate authorities (CAs) that can generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honour the request.

Let's include the following configuration in the existing override-values.yaml file:

cert-manager:
enabled: true
installCRDs: false

letsencrypt: true
ingressClassName: nginx
email: prashant@domain.com
info

Replace prashant@domain.com with your company email id.

To upgrade SigNoz release with the updated configurations in override-values.yaml:

helm -n platform upgrade \
--create-namespace --install \
my-release signoz/signoz \
-f override-values.yaml

Enable SigNoz Ingress

Next, you can enable Kubernetes ingress for SigNoz UI by passing the ingress.className configuration to set up the ingress controller and use ingress annotation in the older K8s version. You can pass host information using ingress.hosts.

Cert-manager takes care of issuing certificates using the ingress annotation cert-manager.io/cluster-issuer which points to previously created ClusterIssuer letsencrypt-prod.

Let's update the existing override-values.yaml file accordingly:

frontend:
ingress:
enabled: true
className: nginx
hosts:
- host: signoz.domain.com
paths:
- path: /
pathType: ImplementationSpecific
port: 3301
tls:
- secretName: signoz.domain.com
hosts:
- signoz.domain.com
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod

(Optional) Similarly, you can also enable Kubernetes ingress for SigNoz OtelCollector gRPC endpoint for a domain, let's say signoz-ingest.domain.com.

Update the existing override-values.yaml file accordingly:

otelCollector:
ingress:
enabled: true
className: nginx
hosts:
- host: signoz-ingest.domain.com
paths:
- path: /
pathType: ImplementationSpecific
port: 4317
tls:
- secretName: signoz-ingest.domain.com
hosts:
- signoz-ingest.domain.com
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
danger

After enabling SigNoz OtelCollector, you can pass SSL/TLS certificate and private key to external OpenTelemetry collectors or external instrumentations which uses the secured domain endpoint.

Run SigNoz with Updated Values

At last, you can run the command below to upgrade SigNoz release with the updated configurations in override-values.yaml:

helm -n platform upgrade \
--create-namespace --install \
my-release signoz/signoz \
-f override-values.yaml

You should be able to access SigNoz UI using the domain name in frontend.ingress.hostname.

In case you have set up SSL/TLS for SigNoz OtelCollector, you can test it using tracegen.