k3s ·

How to Expose Grafana and Node-RED via SSL on the United Manufacturing Hub (UMH)

Learn how to securely expose Grafana and Node-RED on the United Manufacturing Hub (UMH) using SSL/TLS encryption. This advanced tutorial guides you through generating certificates, creating Kubernetes Secrets, and configuring Ingress resources to enable secure HTTPS access via custom domain names.

How to Expose Grafana and Node-RED via SSL on the United Manufacturing Hub (UMH)

In this tutorial, we'll guide you through the process of securely exposing Grafana and Node-RED services via SSL/TLS on the United Manufacturing Hub (UMH). By default, Grafana is accessible at http://<IP>:8080, and Node-RED is accessible at http://<IP>:1880/nodered over unencrypted HTTP. We'll show you how to configure SSL/TLS encryption and make these services available through friendly domain names.

Prerequisites

  • A running UMH instance.
  • Basic knowledge of Kubernetes and command-line operations.
  • A domain name (e.g., umh.yourcompany.com) that resolves to your UMH instance's IP address.
  • Access to your DNS settings to create necessary records.
  • SSL/TLS certificates for your domain. If you don't have them, we'll cover how to create self-signed certificates.

Overview

We'll perform the following steps:

  1. Generate SSL/TLS certificates (or use existing ones).
  2. Create Kubernetes Secrets to store the certificates.
  3. Configure Ingress resources for Grafana and Node-RED.
  4. Apply the configurations to your Kubernetes cluster.

Step 1: Obtain SSL/TLS Certificates

Option A: Use Existing Certificates

If you already have SSL/TLS certificates:

  1. Copy the Encoded Content:You'll need the base64-encoded content when creating Kubernetes Secrets.

Convert Certificates to Base64:You need to encode your certificate (.crt) and key (.key) files in base64 format.

base64 -w 0 your_certificate.crt > tls.crt.base64
base64 -w 0 your_private.key > tls.key.base64

Option B: Generate Self-Signed Certificates

If you don't have SSL/TLS certificates, you can generate self-signed ones for testing purposes.

Note: Self-signed certificates will trigger browser warnings because they aren't trusted by default. In a production environment, use certificates from a trusted Certificate Authority (CA).

Generate Self-Signed Certificates

# Replace 'umh.yourcompany.com' with your actual domain name
DOMAIN_NAME="umh.yourcompany.com"

# Generate a private key
openssl genrsa -out tls.key 2048

# Generate a self-signed certificate
openssl req -new -x509 -key tls.key -out tls.crt -days 365 -subj "/CN=$DOMAIN_NAME"

Step 2: Create Kubernetes Secrets for Certificates

We'll create separate Secrets for Grafana and Node-RED.

Encode Certificates (if not already encoded)

# Encode the certificate
base64 -w 0 tls.crt > tls.crt.base64

# Encode the key
base64 -w 0 tls.key > tls.key.base64

Create Secrets

For Node-RED

Create a YAML file named nodered-tls-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: nodered-tls-secret
  namespace: united-manufacturing-hub
type: kubernetes.io/tls
data:
  tls.crt: <BASE64_ENCODED_CERTIFICATE>
  tls.key: <BASE64_ENCODED_KEY>
  • Replace <BASE64_ENCODED_CERTIFICATE> with the content of tls.crt.base64.
  • Replace <BASE64_ENCODED_KEY> with the content of tls.key.base64.

Apply the Secret:

kubectl apply -f nodered-tls-secret.yaml

For Grafana

Create a YAML file named grafana-tls-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: grafana-tls-secret
  namespace: united-manufacturing-hub
type: kubernetes.io/tls
data:
  tls.crt: <BASE64_ENCODED_CERTIFICATE>
  tls.key: <BASE64_ENCODED_KEY>
  • Use the same encoded certificate and key as for Node-RED or generate new ones if needed.

Apply the Secret:

kubectl apply -f grafana-tls-secret.yaml

Step 3: Configure Ingress Resources

We'll set up Ingress resources to route external traffic to the Grafana and Node-RED services securely.

Prerequisites

  • An Ingress controller must be installed in your cluster (e.g., NGINX Ingress Controller).

Create Ingress for Node-RED

Create a YAML file named nodered-ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nodered-ingress
  namespace: united-manufacturing-hub
spec:
  tls:
    - hosts:
        - umh.yourcompany.com  # Replace with your domain
      secretName: nodered-tls-secret
  rules:
    - host: umh.yourcompany.com  # Replace with your domain
      http:
        paths:
          - path: /nodered
            pathType: Prefix
            backend:
              service:
                name: united-manufacturing-hub-nodered-service
                port:
                  number: 1880

Notes:

  • Domain Name: Replace umh.yourcompany.com with your actual domain.
  • Service Name: Ensure that united-manufacturing-hub-nodered-service is the correct service name for Node-RED in your cluster.
  • Port Number: The default port for Node-RED is 1880.

Apply the Ingress:

kubectl apply -f nodered-ingress.yaml

Create Ingress for Grafana

Create a YAML file named grafana-ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana-ingress
  namespace: united-manufacturing-hub
spec:
  tls:
    - hosts:
        - umh.yourcompany.com  # Replace with your domain
      secretName: grafana-tls-secret
  rules:
    - host: umh.yourcompany.com  # Replace with your domain
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: united-manufacturing-hub-grafana
                port:
                  number: 8080

Notes:

  • Domain Name: Replace umh.yourcompany.com with your actual domain.
  • Service Name: Ensure that united-manufacturing-hub-grafana is the correct service name for Grafana in your cluster.
  • Port Number: The default port for Grafana is 8080.

Apply the Ingress:

kubectl apply -f grafana-ingress.yaml

Step 4: Update DNS Settings

Ensure that your domain (umh.yourcompany.com) points to the IP address of your Ingress controller.

  • Option B: Update DNS RecordsCreate an A record in your DNS provider's settings:
    • Host: umh.yourcompany.com
    • Type: A
    • Value: <INGRESS_CONTROLLER_IP>

Option A: Modify /etc/hosts (for local testing)Add the following line to your /etc/hosts file:

<INGRESS_CONTROLLER_IP> umh.yourcompany.com

Step 5: Verify Access

Access Node-RED

  • URL: https://umh.yourcompany.com/nodered

Access Grafana

  • URL: https://umh.yourcompany.com/

Note: Since we used the root path / for Grafana, accessing the domain without any path will take you to Grafana.


Additional Considerations

Browser Security Warnings

If you used self-signed certificates, your browser will likely display a security warning.

  • Option A: Proceed through the warning (not recommended for production environments).
  • Option B: Import the self-signed certificate into your browser's trusted certificates store.

Using Let's Encrypt with Cert-Manager

For automated SSL/TLS certificate management, consider using Cert-Manager with Let's Encrypt.

  • Cert-Manager can automatically issue and renew certificates.
  • This approach is suitable for production environments exposed to the internet.

Troubleshooting

Common Issues

    • Ensure the Ingress controller is correctly installed and configured.
    • Check that the Ingress resource has been applied in the correct namespace.
  • Certificate Errors:
    • Verify that the Secrets contain the correct certificate and key.
    • Ensure the certificate's CN matches the domain name.
    • Confirm that the service names in the Ingress match the actual service names.

Service Not Found:

kubectl get services -n united-manufacturing-hub

Ingress Not Routing Traffic:

kubectl get ingress -n united-manufacturing-hub

Conclusion

You've successfully configured SSL/TLS encryption for Grafana and Node-RED on the United Manufacturing Hub. By exposing these services securely via HTTPS, you enhance the security posture of your UMH instance.


References


If you have any questions or need further assistance, feel free to reach out to the UMH community or consult the official documentation.

Read next

Node-RED meets Benthos!
benthos · Featured

Node-RED meets Benthos!

Yes, we’ve made it possible to bring Node-RED-style simplicity into Benthos pipelines, enabling your chosen LLM to handle tedious manufacturing connectivity and contextualization tasks—whether you’re prototyping or managing production-grade data flows.

Configuring DNS Servers in UMH Instances
k3s ·

Configuring DNS Servers in UMH Instances

Learn how to configure custom DNS servers on your UMH instance to resolve external domain names and prevent connectivity issues. This step-by-step guide covers editing `/etc/resolv.conf`, restarting CoreDNS pods, and customizing the CoreDNS ConfigMap for advanced DNS configurations.

Share, Engage, and Contribute!

Discover how you can share your ideas, contribute to our blog, and connect with us on other platforms.