How to Deploy Secure Kibana on Kubernetes Using Helm and Private Harbor

In modern monitoring systems, Kibana is the visualization tool for Elasticsearch, and containerized deployment has become mainstream. This article demonstrates how to quickly deploy Kibana on a Kubernetes cluster using Helm and integrate it with a private Harbor registry.

Prerequisites

Standardized Helm chart deployment

Available Kubernetes cluster

Available Elasticsearch cluster

Private Harbor registry for secure images

Cert‑Manager for automatic SSL certificate management

Nginx Ingress for fine‑grained routing

Obtain Kibana Chart Package

Download Kibana chart

<code>
$ helm repo add elastic https://helm.elastic.co
"elastic" has been added to your repositories

$ helm pull elastic/kibana --version 7.17.3
</code>

Upload to internal Harbor service

<code>
$ helm push kibana-7.17.3.tgz oci://core.jiaxzeng.com/plugins
Pushed: core.jiaxzeng.com/plugins/kibana:7.17.3
Digest: sha256:169f9041f998086df3af446bd79a5b04c569f33980ef5fb3ce18639fc3f966f5
</code>

Install Kibana

Upload Elasticsearch TLS certificate

<code>
$ kubectl -n obs-system create secret generic es-ca-tls --from-file=/home/ops/certificates-ca.crt
secret/es-ca-tls created
</code>

Command to extract the ES CA certificate from a p12 file: openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -chain -out certificates-ca.crt

Deep dive into values.yaml

<code>
fullnameOverride: kibana
replicas: 1  # number of replicas
image: "core.jiaxzeng.com/library/kibana"  # private image path
serverHost: "0.0.0.0"  # allow all nodes in the cluster
httpPort: 5601  # service port
elasticsearchHosts: "https://elasticsearch.obs-system.svc:9200"  # ES address

kibanaConfig:
  kibana.yml: |
    server.rewriteBasePath: "true"
    server.basePath: "/kibana"
    server.publicBaseUrl: "http://ops.jiaxzeng.com/kibana"
    elasticsearch.ssl.certificateAuthorities: "/usr/share/kibana/pki/certificates-ca.crt"
    elasticsearch.hosts: "https://elasticsearch.obs-system.svc:9200"
    elasticsearch.ssl.verificationMode: "certificate"

healthCheckPath: "/kibana"  # health check path

secretMounts:
- name: es-ca-cert
  secretName: es-ca-tls
  path: /usr/share/kibana/pki

extraEnvs:
- name: 'ELASTICSEARCH_USERNAME'
  valueFrom:
    secretKeyRef:
      name: elastic-credentials
      key: username
- name: 'ELASTICSEARCH_PASSWORD'
  valueFrom:
    secretKeyRef:
      name: elastic-credentials
      key: password

resources:
  requests:
    cpu: "1000m"
    memory: "2Gi"
  limits:
    cpu: "1000m"
    memory: "2Gi"

ingress:
  enabled: true
  className: "nginx"
  pathtype: ImplementationSpecific
  annotations:
    cert-manager.io/cluster-issuer: ca-cluster-issuer
  hosts:
  - host: ops.jiaxzeng.com
    paths:
    - path: /kibana
  tls:
  - secretName: ops.jiaxzeng.com-tls
    hosts:
    - ops.jiaxzeng.com
</code>

The secret contains the ES CA certificate extracted from the ES cluster. Environment variables provide ES user authentication; create corresponding secrets if ES is not containerized or resides in a different namespace.

Deploy Kibana

<code>
$ helm -n obs-system install kibana -f /etc/kubernetes/addons/kibana-values.yaml oci://core.jiaxzeng.com/plugins/kibana --version 7.17.3
Pulled: core.jiaxzeng.com/plugins/kibana:7.17.3
Digest: sha256:169f9041f998086df3af446bd79a5b04c569f33980ef5fb3ce18639fc3f966f5
NAME: kibana
LAST DEPLOYED: Mon Mar 10 16:14:45 2025
NAMESPACE: obs-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
</code>

Verify Kibana

Check pod status

<code>
$ kubectl -n obs-system get pod -l app=kibana
NAME                     READY   STATUS    RESTARTS   AGE
kibana-85ff769865-n2b69 1/1     Running   0          83s
</code>

Access Kibana via browser

Administrator password and Kibana’s Elasticsearch credentials are identical.

Conclusion

By following these steps you have built a secure and reliable Kibana monitoring platform. It is recommended to regularly scan container images with tools such as Trivy and continuously optimize the monitoring system.