Provide SSL certificates for monitoring
Beginning with the December, 2021 release, Azure Arc-enabled data services allows you to provide SSL/TLS certificates for the monitoring dashboards. You can use these certificates for logs (Kibana) and metrics (Grafana) dashboards.
You can specify the certificate when you create a data controller with:
- Azure
azCLIarcdataextension - Kubernetes native deployment
Microsoft provides sample files to create the certificates in the /microsoft/azure_arc/ GitHub repository.
You can clone the file locally to access the sample files.
git clone https://github.com/microsoft/azure_arc
The files that are referenced in this article are in the repository under /arc_data_services/deploy/scripts/monitoring.
Create or acquire appropriate certificates
You need appropriate certificates for each UI. One for logs, and one for metrics. The following table describes the requirements.
The following table describes the requirements for each certificate and key.
| Requirement | Logs certificate | Metrics certificate |
|---|---|---|
| CN | logsui-svc |
metricsui-svc |
| SANs | None required | metricsui-svc.${NAMESPACE}.${K8S_DNS_DOMAIN_NAME} |
| keyUsage | digitalsignaturekeyEncipherment |
digitalsignaturekeyEncipherment |
| extendedKeyUsage | serverAuth |
serverAuth |
Note
Default K8S_DNS_DOMAIN_NAME is svc.cluster.local, though it may differ depending on environment and configuration.
The GitHub repository directory includes example template files that identify the certificate specifications.
- /arc_data_services/deploy/scripts/monitoring/logsui-ssl.conf.tmpl
- /arc_data_services/deploy/scripts/monitoring/metricsui-ssl.conf.tmpl
The Azure Arc samples GitHub repository provides an example you can use to generate a compliant certificate and private key for an endpoint.
See the code from /arc_data_services/deploy/scripts/monitoringcreate-monitoring-tls-files.sh.
To use the example to create certificates, update the following command with your namespace and the directory for the certificates (output_directory). Then run the command.
./create-monitor-tls-files.sh <namespace> <output_directory>
This creates compliant certificates in the directory.
Deploy with CLI
After you have the certificate/private key for each endpoint, create the data controller with az dc create... command.
To apply your own certificate/private key use the following arguments.
--logs-ui-public-key-file <path\file to logs public key file>--logs-ui-private-key-file <path\file to logs private key file>--metrics-ui-public-key-file <path\file to metrics public key file>--metrics-ui-private-key-file <path\file to metrics private key file>
For example, the following example creates a data controller with designated certificates for the logs and metrics UI dashboards:
az arcdata dc create --profile-name azure-arc-aks-default-storage --k8s-namespace <namespace> --use-k8s --name arc --subscription <subscription id> --resource-group <resource group name> --location <location> --connectivity-mode indirect --logs-ui-public-key-file <path\file to logs public key file> --logs-ui-private-key-file <path\file to logs private key file> --metrics-ui-public-key-file <path\file to metrics public key file> --metrics-ui-private-key-file <path\file to metrics private key file>
#Example:
#az arcdata dc create --profile-name azure-arc-aks-default-storage --k8s-namespace arc --use-k8s --name arc --subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource-group my-resource-group --location eastus --connectivity-mode indirect --logs-ui-public-key-file /path/to/logsuipublickeyfile.pem --logs-ui-private-key-file /path/to/logsuiprivatekey.pem --metrics-ui-public-key-file /path/to/metricsuipublickeyfile.pem --metrics-ui-private-key-file /path/to/metricsuiprivatekey.pem
You can only specify certificates when you include --use-k8s in the az arcdata dc create ... statement.
Deploy with Kubernetes native tools
If you are using Kubernetes native tools to deploy, create kubernetes secrets that hold the certificates and private keys. Create the following secrets:
logsui-certificiate-secretmetricsui-certificate-secret.
Make sure the services are listed as subject alternative names (SANs) and the certificate usage parameters are correct.
- Verify each secret has the following fields:
certificate.pemcontaining the base64 encoded certificateprivatekey.pemcontaining the private key
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for