How to Expose Grafana and Node-RED via SSL on the United Manufacturing Hub (UMH)

In this tutorial, we'll guide you through the process of securely exposing Grafana and Node-RED services via SSL/TLS on the United Manufacturing Hub (UMH). By default, Grafana is accessible at http://<IP>:8080, and Node-RED is accessible at http://<IP>:1880/nodered over unencrypted HTTP. We'll show you how to configure SSL/TLS encryption and make these services available through friendly domain names.

Prerequisites

• A running UMH instance.
• Basic knowledge of Kubernetes and command-line operations.
• A domain name (e.g., umh.yourcompany.com) that resolves to your UMH instance's IP address.
• Access to your DNS settings to create necessary records.
• SSL/TLS certificates for your domain. If you don't have them, we'll cover how to create self-signed certificates.

Overview

We'll perform the following steps:

1. Generate SSL/TLS certificates (or use existing ones).
2. Create Kubernetes Secrets to store the certificates.
3. Configure Ingress resources for Grafana and Node-RED.
4. Apply the configurations to your Kubernetes cluster.

Step 1: Obtain SSL/TLS Certificates

Option A: Use Existing Certificates

If you already have SSL/TLS certificates:

1. Copy the Encoded Content:You'll need the base64-encoded content when creating Kubernetes Secrets.

Convert Certificates to Base64:You need to encode your certificate (.crt) and key (.key) files in base64 format.

base64 -w 0 your_certificate.crt > tls.crt.base64
base64 -w 0 your_private.key > tls.key.base64

Option B: Generate Self-Signed Certificates

If you don't have SSL/TLS certificates, you can generate self-signed ones for testing purposes.

Note: Self-signed certificates will trigger browser warnings because they aren't trusted by default. In a production environment, use certificates from a trusted Certificate Authority (CA).

Generate Self-Signed Certificates

# Replace 'umh.yourcompany.com' with your actual domain name
DOMAIN_NAME="umh.yourcompany.com"

# Generate a private key
openssl genrsa -out tls.key 2048

# Generate a self-signed certificate
openssl req -new -x509 -key tls.key -out tls.crt -days 365 -subj "/CN=$DOMAIN_NAME"

Step 2: Create Kubernetes Secrets for Certificates

We'll create separate Secrets for Grafana and Node-RED.

Encode Certificates (if not already encoded)

# Encode the certificate
base64 -w 0 tls.crt > tls.crt.base64

# Encode the key
base64 -w 0 tls.key > tls.key.base64

Create Secrets

For Node-RED

Create a YAML file named nodered-tls-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: nodered-tls-secret
  namespace: united-manufacturing-hub
type: kubernetes.io/tls
data:
  tls.crt: <BASE64_ENCODED_CERTIFICATE>
  tls.key: <BASE64_ENCODED_KEY>

• Replace <BASE64_ENCODED_CERTIFICATE> with the content of tls.crt.base64.
• Replace <BASE64_ENCODED_KEY> with the content of tls.key.base64.

Apply the Secret:

kubectl apply -f nodered-tls-secret.yaml

For Grafana

Create a YAML file named grafana-tls-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: grafana-tls-secret
  namespace: united-manufacturing-hub
type: kubernetes.io/tls
data:
  tls.crt: <BASE64_ENCODED_CERTIFICATE>
  tls.key: <BASE64_ENCODED_KEY>

• Use the same encoded certificate and key as for Node-RED or generate new ones if needed.

Apply the Secret:

kubectl apply -f grafana-tls-secret.yaml

Step 3: Configure Ingress Resources

We'll set up Ingress resources to route external traffic to the Grafana and Node-RED services securely.

Prerequisites

• An Ingress controller must be installed in your cluster (e.g., NGINX Ingress Controller).

Create Ingress for Node-RED

Create a YAML file named nodered-ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nodered-ingress
  namespace: united-manufacturing-hub
spec:
  tls:
    - hosts:
        - umh.yourcompany.com  # Replace with your domain
      secretName: nodered-tls-secret
  rules:
    - host: umh.yourcompany.com  # Replace with your domain
      http:
        paths:
          - path: /nodered
            pathType: Prefix
            backend:
              service:
                name: united-manufacturing-hub-nodered-service
                port:
                  number: 1880

Notes:

• Domain Name: Replace umh.yourcompany.com with your actual domain.
• Service Name: Ensure that united-manufacturing-hub-nodered-service is the correct service name for Node-RED in your cluster.
• Port Number: The default port for Node-RED is 1880.

Apply the Ingress:

kubectl apply -f nodered-ingress.yaml

Create Ingress for Grafana

Create a YAML file named grafana-ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana-ingress
  namespace: united-manufacturing-hub
spec:
  tls:
    - hosts:
        - umh.yourcompany.com  # Replace with your domain
      secretName: grafana-tls-secret
  rules:
    - host: umh.yourcompany.com  # Replace with your domain
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: united-manufacturing-hub-grafana
                port:
                  number: 8080

Notes:

• Domain Name: Replace umh.yourcompany.com with your actual domain.
• Service Name: Ensure that united-manufacturing-hub-grafana is the correct service name for Grafana in your cluster.
• Port Number: The default port for Grafana is 8080.

Apply the Ingress:

kubectl apply -f grafana-ingress.yaml

Step 4: Update DNS Settings

Ensure that your domain (umh.yourcompany.com) points to the IP address of your Ingress controller.

• Option B: Update DNS RecordsCreate an A record in your DNS provider's settings:
  • Host: umh.yourcompany.com
  • Type: A
  • Value: <INGRESS_CONTROLLER_IP>

Option A: Modify /etc/hosts (for local testing)Add the following line to your /etc/hosts file:

<INGRESS_CONTROLLER_IP> umh.yourcompany.com

Step 5: Verify Access

Access Node-RED

• URL: https://umh.yourcompany.com/nodered

Access Grafana

• URL: https://umh.yourcompany.com/

Note: Since we used the root path / for Grafana, accessing the domain without any path will take you to Grafana.

Additional Considerations

Browser Security Warnings

If you used self-signed certificates, your browser will likely display a security warning.

• Option A: Proceed through the warning (not recommended for production environments).
• Option B: Import the self-signed certificate into your browser's trusted certificates store.

Using Let's Encrypt with Cert-Manager

For automated SSL/TLS certificate management, consider using Cert-Manager with Let's Encrypt.

• Cert-Manager can automatically issue and renew certificates.
• This approach is suitable for production environments exposed to the internet.

Troubleshooting

Common Issues

• Ensure the Ingress controller is correctly installed and configured.
• Check that the Ingress resource has been applied in the correct namespace.
• Certificate Errors:
  • Verify that the Secrets contain the correct certificate and key.
  • Ensure the certificate's CN matches the domain name.
  • Confirm that the service names in the Ingress match the actual service names.

Service Not Found:

kubectl get services -n united-manufacturing-hub

Ingress Not Routing Traffic:

kubectl get ingress -n united-manufacturing-hub

Conclusion

You've successfully configured SSL/TLS encryption for Grafana and Node-RED on the United Manufacturing Hub. By exposing these services securely via HTTPS, you enhance the security posture of your UMH instance.

References

• Kubernetes Ingress Documentation
• Cert-Manager Documentation
• United Manufacturing Hub Documentation

If you have any questions or need further assistance, feel free to reach out to the UMH community or consult the official documentation.