add support for BYOC TLS

README.md

@@ -129,6 +129,28 @@ helm upgrade graylog ./graylog -n graylog -f inputs.yaml --reuse-values
 
 The inputs should now be exposed. Make sure to complete their configuration through the Graylog UI.
 
+### Enable TLS
+
+Before you can enable TLS, you must associate a DNS name with your Graylog installation.
+More specifically, it should point to the external IP address (EXTERNAL-IP) associated with your Graylog service.
+You can retrieve this information like this:
+
+```sh
+kubectl get svc graylog-svc -n graylog
+```
+
+## Bring Your Own Certificate
+
+If you already have a TLS certificate-key pair, you can create a Kubernetes secret to store them:
+```sh
+kubectl create secret tls my-cert --cert=public.pem --key=private.key -n graylog
+```
+
+Enable TLS for your Graylog installation, referencing the Kubernetes secret:
+```sh
+helm upgrade graylog ./graylog -n graylog --reuse-values --set graylog.config.tls.byoc.enabled=true --set  graylog.config.tls.byoc.secretName="my-cert"
+```
+
 ### Uninstall
 ```sh
 # optional: scale Graylog down to zero

graylog/templates/_helpers.tpl

@@ -199,6 +199,13 @@ Graylog service name
 {{- .Values.graylog.custom.service.nameOverride | default $defaultName }}
 {{- end }}
 
+{{/*
+Graylog service app port
+*/}}
+{{- define "graylog.service.port.app" -}}
+{{- .Values.graylog.custom.service.ports.app | default 9000 | int }}
+{{- end }}
+
 {{/*
 Graylog configmap name
 */}}

graylog/templates/config/graylog.yaml

@@ -43,9 +43,12 @@ data:
   GRAYLOG_HTTP_MAX_HEADER_SIZE: {{ .Values.graylog.config.network.maxHeaderSize | int | quote }}
   GRAYLOG_HTTP_READ_TIMEOUT: {{ .Values.graylog.config.network.readTimeout | quote }}
   GRAYLOG_HTTP_THREAD_POOL_SIZE: {{ .Values.graylog.config.network.threadPoolSize | int | quote }}
-  # @todo: Investigate how to support BYO Graylog App certs
-  # GRAYLOG_ENABLE_TLS: "true"
-  # GRAYLOG_HTTP_EXTERNAL_URI:
+  GRAYLOG_HTTP_ENABLE_TLS: {{ .Values.graylog.config.tls.byoc.enabled | quote }}
+  GRAYLOG_HTTP_TLS_CERT_FILE: "/usr/share/graylog/tls/tls.crt"
+  GRAYLOG_HTTP_TLS_KEY_FILE: "/usr/share/graylog/tls/tls.key"
+  {{- if and .Values.graylog.config.tls.byoc.enabled .Values.graylog.config.tls.byoc.cn }}
+  GRAYLOG_HTTP_EXTERNAL_URI: {{ include "graylog.service.port.app" . | printf "https://%s:%s/" .Values.graylog.config.tls.byoc.cn }}
+  {{- end }}
   # GRAYLOG_HTTP_PUBLISH_URI: ""
 
   # Performance Tuning

graylog/templates/config/secret/secrets.yaml

@@ -88,6 +88,9 @@ data:
   GRAYLOG_ROOT_USERNAME: {{ .Values.graylog.config.rootUsername | default "admin" | b64enc }}
   GRAYLOG_PASSWORD_SECRET: {{ $graylogPepper }}
   GRAYLOG_ROOT_PASSWORD_SHA2: {{ $graylogSha }}
+  {{- if .Values.graylog.config.tls.byoc.enabled }}
+  GRAYLOG_HTTP_TLS_KEY_PASSWORD: {{ .Values.graylog.config.tls.byoc.keyPassword | quote }}
+  {{- end }}
 ---
 apiVersion: batch/v1
 kind: Job

graylog/templates/service/graylog.yaml

@@ -9,7 +9,7 @@ spec:
   type: {{ .Values.graylog.custom.service.type | default "ClusterIP" }}
   ports:
     - name: app
-      port: {{ .Values.graylog.custom.service.ports.app | default 9000 | int }}
+      port: {{ include "graylog.service.port.app" . }}
       targetPort: app
       protocol: TCP
     {{- if .Values.graylog.custom.metrics.enabled }}

graylog/templates/workload/statefulsets/graylog.yaml

@@ -122,6 +122,10 @@ spec:
           volumeMounts:
             - name: {{ include "graylog.volumeName" . }}
               mountPath: /usr/share/graylog/data
+            {{- if .Values.graylog.config.tls.byoc.enabled }}
+            - name: tls-creds
+              mountPath: /usr/share/graylog/tls
+            {{- end }}
       tolerations:
       {{- with .Values.graylog.custom.tolerations }}
         {{- toYaml . | nindent 8 }}
@@ -135,6 +139,11 @@ spec:
         configMap:
           name: init-script-cm
           defaultMode: 0755  # Make script executable
+      {{- if .Values.graylog.config.tls.byoc.enabled }}
+      - name: tls-creds
+        secret:
+          secretName: {{ .Values.graylog.config.tls.byoc.secretName | quote }}
+      {{- end }}
       {{- if not .Values.graylog.custom.persistence.enabled | or .Values.graylog.custom.persistence.existingClaim }}
       - name: {{ include "graylog.volumeName" . }}
         {{- if .Values.graylog.custom.persistence.existingClaim }}

graylog/values.yaml

@@ -38,6 +38,11 @@ graylog:
     leaderElectionMode: "automatic"
     contentPacksAutoInstall: "true"
     isCloud: "false"
+    tls:
+      byoc:
+        enabled: false
+        secretName:
+        keyPassword:
     mongodb:
       maxConnections: "1000"
       versionProbeAttempts: "0"