Secure SigNoz in Kubernetes using Ingress NGINX and Cert Manager

Overview

This tutorial will walk you through the process of setting up HTTPS (SSL/TLS) for your SigNoz installation in Kubernetes using two popular tools:

  • Ingress NGINX: A Kubernetes ingress controller that manages external access to services
  • Cert Manager: An automated certificate management tool that helps obtain and renew SSL/TLS certificates

Prerequisites

Before you begin, ensure you have:

  • Kubernetes cluster with administrative access
  • Helm (version 3.8 or above) installed on your machine
  • SigNoz helm chart (version 0.4.3 or above)
  • A domain name pointed to your Kubernetes cluster for SigNoz (e.g., signoz.example.com)
  • A domain name pointed to your Kubernetes cluster for SigNoz OTel Collector (e.g., signoz-ingest.example.com)

Steps to Secure SigNoz

Install Cert-Manager

  1. Install cert-manager using Helm:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --set crds.enabled=true \
  --namespace cert-manager \
  --create-namespace

You can find more details here

Install Nginx Ingress Controller

  1. Install Nginx Ingress Controller using Helm:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace

You can find more details here

Create Cluster Issuer

  1. Create a ClusterIssuer to automatically obtain SSL certificates. Save this as cluster-issuer.yaml. Below is an example of a simple ACME issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx

You can find more details about cluster issuers here

  1. Apply the ClusterIssuer to your cluster:
kubectl apply -f cluster-issuer.yaml

Enable SigNoz Ingress

Update your values.yaml file with the following configurations:

signoz:
  ingress:
    enabled: true
    className: nginx
    hosts:
      - host: signoz.example.com  # Replace with your domain
        paths:
          - path: /
            pathType: ImplementationSpecific
            port: 8080
    tls:
      - secretName: signoz-tls-cert
        hosts:
          - signoz.example.com    # Replace with your domain
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-staging

# Configure SigNoz OTel Collector Ingress
otelCollector:
  ingress:
    enabled: true
    className: nginx
    hosts:
      - host: signoz-ingest.example.com  # Replace with your ingestion domain
        paths:
          - path: /
            pathType: ImplementationSpecific
            port: 4317
    tls:
      - secretName: signoz-ingest-tls-cert
        hosts:
          - signoz-ingest.example.com    # Replace with your ingestion domain
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-staging
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

Verify the setup

After applying all configurations, verify your setup:

  1. Check certificate status:
kubectl get certificates -A
  1. Ensure your domains are accessible via HTTPS:
    • Dashboard: https://signoz.example.com
    • Ingestion: https://signoz-ingest.example.com

Was this page helpful?

Prev
OpenTelemetry Operator Usage
Next
Retention Period
On this page
Overview
Prerequisites
Steps to Secure SigNoz
Install Cert-Manager
Install Nginx Ingress Controller
Create Cluster Issuer
Enable SigNoz Ingress
Verify the setup
Docs
IntroductionContributingMigrate from DatadogSigNoz API
Community
Support
Slack
Twitter
Launch Week
Changelog
Dashboard Templates
More
SigNoz vs DatadogSigNoz vs New RelicSigNoz vs GrafanaSigNoz vs Dynatrace
Careers
AboutTermsPrivacySecurity & Compliance
SigNoz
All systems operational