Grafana-operator-k8s docs - Enable TLS

Enable TLS

There are two alternative approaches to enabling TLS: TLS termination and end-to-end TLS.

For testing purposes, you could use the self-signed-certificates operator as a stand-in for a local/external ca.

TLS termination

You can deploy grafana together with traefik, and enable TLS in traefik rather than in grafana. This way, when grafana is reached via the ingress URL, communication is TLS-encrypted to traefik, and the communication between traefik and grafana is plain HTTP. Moreover, in-cluster communication with related charms would also be unencrypted.

graph LR

external-ca ---|tls-certificates| traefik
subgraph your-model
  traefik ---|ingress| grafana
end

Deploy the following bundle:

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  grafana:
    charm: grafana-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
  traefik:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
relations:
- - ca:certificates
  - traefik:certificates
- - grafana:ingress
  - traefik:traefik-route
- - traefik:grafana-dashboard
  - grafana:grafana-dashboard

End-to-end TLS

By relating grafana to a certificates provider, this operator ensures all communications are behind TLS: both in-cluster and via ingress.

graph LR

external-ca ---|tls-certificates| traefik
subgraph your-model
  traefik ---|ingress| grafana
  grafana ---|tls-certificates| local-ca
  traefik ---|send-ca-cert| local-ca
end

Deploy the following bundle:

bundle: kubernetes
applications:
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  external-ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  grafana:
    charm: grafana-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
  traefik:
    charm: traefik-k8s
    channel: edge
    series: focal
    scale: 1
    trust: true
relations:
- - traefik:traefik-route
  - grafana:ingress
- - ca:send-ca-cert
  - traefik:receive-ca-cert
- - ca:certificates
  - grafana:certificates
- - traefik:certificates
  - external-ca:certificates