add support for BYOC TLS

[monrax]

Add support for Bring-Your-Own-Certificate TLS

[alix-graylog]

This looks good. Thanks for adding this!

[monrax]

We had the wrong environment variable before: it should be GRAYLOG_HTTP_ENABLE_TLS, not GRAYLOG_ENABLE_TLS. TLS without ingress should work now.

How to test?

1. Make sure you have a running cluster. If you don't have one, please take a look at CONTRIBUTING.md for instructions on how to set up a local cluster.
2. Install the Graylog chart

helm install graylog . -n graylog --create-namespace

3. Generate a self-signed certificate using OpenSSL and store it a kubernetes secret:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out public.crt -subj "/CN=mygraylog"
kubectl create secret tls my-cert --cert=public.crt --key=private.key -n graylog

4. Add an entry to /etc/hosts (or your DNS provider)

addr=$(kubectl get svc -n graylog graylog-svc --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
echo $addr  mygraylog | sudo tee -a /etc/hosts

5. Enable TLS by upgrading your installation

helm upgrade graylog ./graylog -n graylog --reuse-values --set graylog.config.tls.byoc.enabled=true --set  graylog.config.tls.byoc.secretName="my-cert" --set graylog.config.byoc.cn=mygraylog

6. Wait for the pods to be recreated, and use cURL to test the connection

curl -kv https://mygraylog:9000/

[monrax]

I have tested this with AWS EKS and an external DNS provider already and it works as expected. Please, give it a try and write your observations down below!

[alix-graylog]

I'm not super familiar with the BYO TLS of graylog, but this looks sound to me

[williamtrelawny]

I just tested this on EKS and it works perfectly 🚀

[williamtrelawny]

Works perfectly on EKS!