From d652d2d139a34b1490e42cf0de41ca46bbd1132a Mon Sep 17 00:00:00 2001 From: "grafana-delivery-bot[bot]" <132647405+grafana-delivery-bot[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 08:45:04 -0500 Subject: [PATCH] [v11.1.x] Docs: Added instructions for configuring a private CA in Helm installs (#94546) Docs: Added instructions for configuring a private CA in Helm installs (#93249) * Docs: Added instructions for configuring a private CA in Helm installs Signed-off-by: Bradley Pettit <12028233+bradleypettit@users.noreply.github.com> * Docs: linted new instructions for private CA cert Signed-off-by: Bradley Pettit <12028233+bradleypettit@users.noreply.github.com> * Expanded to gem/gel/get Originally, it just referred to GEM --------- Signed-off-by: Bradley Pettit <12028233+bradleypettit@users.noreply.github.com> Co-authored-by: Jennifer Villa (cherry picked from commit 747cdf938e640e1d95db4a316e176fa4824439d1) Co-authored-by: Bradley <12028233+bradleypettit@users.noreply.github.com> --- .../setup-grafana/installation/helm/index.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/docs/sources/setup-grafana/installation/helm/index.md b/docs/sources/setup-grafana/installation/helm/index.md index 566f73d5610..d34e5c35f0e 100644 --- a/docs/sources/setup-grafana/installation/helm/index.md +++ b/docs/sources/setup-grafana/installation/helm/index.md @@ -278,6 +278,67 @@ To install plugins in the Grafana Helm Charts, complete the following steps: 1. Search for the above plugins and they should be marked as installed. +### Configure a Private CA (Certificate Authority) + +In many enterprise networks, TLS certificates are issued by a private certificate authority and are not trusted by default (using the provided OS trust chain). + +If your Grafana instance needs to interact with services exposing certificates issued by these private CAs, then you need to ensure Grafana trusts the root certificate. + +You might need to configure this if you: + +- have plugins that require connectivity to other self hosted systems. For example, if you've installed the Grafana Enterprise Metrics, Logs, or Traces (GEM, GEL, GET) plugins, and your GEM (or GEL/GET) cluster is using a private certificate. +- want to connect to data sources which are listening on HTTPS with a private certificate. +- are using a backend database for persistence, or caching service that uses private certificates for encryption in transit. + +In some cases you can specify a self-signed certificate within Grafana (such as in some data sources), or choose to skip TLS certificate validation (this is not recommended unless absolutely necessary). + +A simple solution which should work across your entire instance (plugins, data sources, and backend connections) is to add your self-signed CA certificate to your Kubernetes deployment. + +1. Create a ConfigMap containing the certificate, and deploy it to your Kubernetes cluster + + ```yaml + # grafana-ca-configmap.yaml + --- + apiVersion: v1 + kind: ConfigMap + metadata: + name: grafana-ca-cert + data: + ca.pem: | + -----BEGIN CERTIFICATE----- + (rest of the CA cert) + -----END CERTIFICATE----- + ``` + + ```bash + kubectl apply --filename grafana-ca-configmap.yaml --namespace monitoring + ``` + +1. Open the Helm `values.yaml` file in your favorite editor. + +1. Find the line that says `extraConfigmapMounts:` and under that section, specify the additional ConfigMap that you want to mount. + + ```yaml + ....... + ............ + ...... + extraConfigmapMounts: + - name: ca-certs-configmap + mountPath: /etc/ssl/certs/ca.pem + subPath: ca.pem + configMap: grafana-ca-cert + readOnly: true + ....... + ............ + ...... + ``` + +1. Save the changes and use the `helm upgrade` command to update your Grafana deployment and mount the new ConfigMap: + + ```bash + helm upgrade my-grafana grafana/grafana --values values.yaml --namespace monitoring + ``` + ## Troubleshooting This section includes troubleshooting tips you might find helpful when deploying Grafana on Kubernetes via Helm.