Skip to content

This guide contains information of how to configure TLS for ingress and route in Logging components.

Ingress NGINX Controller With TLS

  • Deploy graylog with tls as per parameters specified in Installation Guide and Ingress with tls must be successfully created.

It can work with generated secret using cert-manager or with custom certificates.

Route In Openshift

Route Without TLS

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: <specify-uniq-route-name>
  namespace: <specify-namespace-where-graylog-service-is-installed>
spec:
  host: <specify-your-target-host-here>
  to:
    kind: Service
    name: graylog-service
    weight: 100
  port:
    targetPort: graylog

Route With TLS

Edge Termination Type route will be auto generated along with Ingress, try to access route URL.

If you face 502 Bad Response. then you have to create reencrypt Route manually. Please deploy graylog without Ingress e.g. graylog.createIngress: false and refer to the following templates as an example to manually create Openshift Routes:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: <specify-uniq-route-name>
  namespace: <specify-namespace-where-graylog-service-is-installed>
spec:
  host: <specify-your-target-host-here>
  to:
    kind: Service
    name: graylog-service
    weight: 100
  port:
    targetPort: graylog
  tls:
    termination: reencrypt
    destinationCACertificate: <place-CA-certificate-here-from-graylog-TLS-secret>
    insecureEdgeTerminationPolicy: Redirect

Example:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: graylog-route
  namespace: logging-operator
spec:
  host: <specify-your-target-host-here>
  to:
    kind: Service
    name: graylog-service
    weight: 100
  port:
    targetPort: graylog
  tls:
    termination: reencrypt
    destinationCACertificate: |-
      -----BEGIN CERTIFICATE-----
      .....
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect

After creating above route changes if you got net::ERR_TOO_MANY_REDIRECTS error on the browser then one of the possible root causes is there is HTTP traffic between balancers and the cluster which means route is not added in whitelist of the balancer. To resolve the issue connect with INFRA team to add the route to that list.

Note:: We need to provide the CA certificate generated by cert-manager in the destinationCACertificate field, which you can find under Workloads > Secrets. While we used cert-manager to obtain the certificates, it can also work with custom certificates.