Enable Transport Layer Security (TLS) for Fusion Microservices
This feature is only available in Fusion releases 5.9.2 and 5.11.0 and later. |
This article describes how to deploy Fusion with Transport Layer Security (TLS) enabled for Fusion microservices.
When enabled, Fusion generates a TLS certificate for each pod when the pod starts. This allows Fusion to use the Kubernetes endpoints API to reach each pod by its IP address and perform load balancing, circuit breaking, and retries in the Fusion microservices.
In order to facilitate the TLS operations, Fusion utilizes Jetstack’s cert-manager add-on to provision a certificate for each pod. This certificate contains the pods' IP address.
It is not possible to update an existing cluster enable or disable TLS. These instructions apply to new deployments only. |
Install Jetstack cert-manager
-
Add the Jetstack helm repo.
helm repo add jetstack https://charts.jetstack.io
-
Update the local cache.
helm repo update
-
Create the CRDs required for Jetstack.
For Jetstack v1.12.4:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.4/cert-manager.crds.yaml
For Jetstack v1.13.1:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml
-
Create the namespace for cert-manager.
kubectl create namespace "cert-manager"
-
Install cert-manager into the namespace.
ForJetstack v1.12.4:
helm upgrade --install --namespace "cert-manager" cert-manager jetstack/cert-manager --version 1.12.4 --set 'extraArgs[0]=--enable-certificate-owner-ref=true'
For Jetstack v1.13.1:
helm upgrade --install --namespace "cert-manager" cert-manager jetstack/cert-manager --version 1.13.1 --set 'extraArgs[0]=--enable-certificate-owner-ref=true'
You must only complete this process once per Fusion cluster. All namespaces in the cluster are affected by this process. |
Prepare the namespace for Fusion
-
Create the namespace to install Fusion into.
kubectl create namespace ${KUBE_NAMESPACE}
-
Create the Root CA certificate for the namespace that will be used to sign all certificates in the namespace.
cat <<EOF | cfssl genkey -initca - | cfssljson -bare ca { "hosts": [ ], "key": { "algo": "rsa", "size": 4096 }, "names": [ { "C": "US", "L": "San Francisco", "O": "Lucidworks", "OU": "Engineering", "ST": "California" } ] } EOF kubectl --namespace "${KUBE_NAMESPACE}" create secret generic cert-manager-ca --from-literal=tls.crt="$(cat ca.pem)" --from-literal=tls.key="$(cat ca-key.pem)"
-
Create a cert-manager issuer to sign CSRs in the namespace.
For Jetstack v1.12.4:
cat > ca-issuer.yaml <<EOF apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ${KUBE_NAMESPACE}-ca-issuer spec: ca: secretName: cert-manager-ca EOF kubectl --namespace "${KUBE_NAMESPACE}" apply -f ca-issuer.yaml
For Jetstack v1.13.1:
cat > ca-issuer.yaml <<EOF apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: ${KUBE_NAMESPACE}-ca-issuer spec: ca: secretName: cert-manager-ca EOF kubectl --namespace "${KUBE_NAMESPACE}" apply -f ca-issuer.yaml
-
Install Fusion with the following parameters:
helm install... --set global.tlsEnabled=true --set global.tlsIssuerRef=${KUBE_NAMESPACE}-ca-issuer --set global.zkPort=2281 --set global.kafkaPort=9092