Secure SigNoz in Kubernetes using Ingress NGINX and Cert Manager

Overview

This tutorial will walk you through the process of setting up HTTPS (SSL/TLS) for your SigNoz installation in Kubernetes using two popular tools:

  • Ingress NGINX: A Kubernetes ingress controller that manages external access to services
  • Cert Manager: An automated certificate management tool that helps obtain and renew SSL/TLS certificates

Prerequisites

Before you begin, ensure you have:

  • Kubernetes cluster with administrative access
  • Helm (version 3.8 or above) installed on your machine
  • SigNoz helm chart (version 0.4.3 or above)
  • A domain name pointed to your Kubernetes cluster for SigNoz (e.g., signoz.example.com)
  • A domain name pointed to your Kubernetes cluster for SigNoz OTel Collector (e.g., signoz-ingest.example.com)

Steps to Secure SigNoz

Install Cert-Manager

  1. Install cert-manager using Helm:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --set crds.enabled=true \
  --namespace cert-manager \
  --create-namespace

You can find more details here

Install Nginx Ingress Controller

  1. Install Nginx Ingress Controller using Helm:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace

You can find more details here

Create Cluster Issuer

  1. Create a ClusterIssuer to automatically obtain SSL certificates. Save this as cluster-issuer.yaml. Below is an example of a simple ACME issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx

You can find more details about cluster issuers here

  1. Apply the ClusterIssuer to your cluster:
kubectl apply -f cluster-issuer.yaml

Enable SigNoz Ingress

Update your values.yaml file with the following configurations:

signoz:
  ingress:
    enabled: true
    className: nginx
    hosts:
      - host: signoz.example.com  # Replace with your domain
        paths:
          - path: /
            pathType: ImplementationSpecific
            port: 8080
    tls:
      - secretName: signoz-tls-cert
        hosts:
          - signoz.example.com    # Replace with your domain
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-staging

# Configure SigNoz OTel Collector Ingress
otelCollector:
  ingress:
    enabled: true
    className: nginx
    hosts:
      - host: signoz-ingest.example.com  # Replace with your ingestion domain
        paths:
          - path: /
            pathType: ImplementationSpecific
            port: 4317
    tls:
      - secretName: signoz-ingest-tls-cert
        hosts:
          - signoz-ingest.example.com    # Replace with your ingestion domain
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-staging
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

Verify the setup

After applying all configurations, verify your setup:

  1. Check certificate status:
kubectl get certificates -A
  1. Ensure your domains are accessible via HTTPS:
    • Dashboard: https://signoz.example.com
    • Ingestion: https://signoz-ingest.example.com

Was this page helpful?