Enable Transport Layer Security (TLS) for Fusion Microservices

This article describes how to deploy Fusion with Transport Layer Security (TLS) enabled for Fusion microservices.

When enabled, Fusion generates a TLS certificate for each pod when the pod starts. This allows Fusion to use the Kubernetes endpoints API to reach each pod by its IP address and perform load balancing, circuit breaking, and retries in the Fusion microservices.

In order to facilitate the TLS operations, Fusion utilizes Jetstack’s cert-manager add-on to provision a certificate for each pod. This certificate contains the pods' IP address.

Warning
It is not possible to update an existing cluster enable or disable TLS. These instructions apply to new deployments only.

Install Jetstack cert-manager

  1. Add the Jetstack helm repo.

    helm repo add jetstack https://charts.jetstack.io
  2. Update the local cache.

    helm repo update
  3. Create the CRDs required for Jetstack.

    kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.13.1/deploy/manifests/00-crds.yaml
  4. Create the namespace for cert-manager.

    kubectl create namespace "cert-manager"
  5. Install cert-manager into the namespace.

    helm upgrade --install --namespace "cert-manager" cert-manager jetstack/cert-manager --version 0.13.1 --set 'extraArgs[0]=--enable-certificate-owner-ref=true'
Important
You must only complete this process once per Fusion cluster. All namespaces in the cluster are affected by this process.

Prepare the namespace for Fusion

  1. Create the namespace to install Fusion into.

    kubectl create namespace ${KUBE_NAMESPACE}
  2. Create the Root CA certificate for the namespace that will be used to sign all certificates in the namespace.

    cat  <<EOF | cfssl genkey -initca - | cfssljson -bare ca
    {
        "hosts": [
        ],
        "key": {
            "algo": "rsa",
            "size": 4096
        },
        "names": [
            {
                "C":  "US",
                "L":  "San Francisco",
                "O":  "Lucidworks",
                "OU": "Engineering",
                "ST": "California"
            }
        ]
    }
    EOF
    
    kubectl --namespace "${KUBE_NAMESPACE}" create secret generic cert-manager-ca --from-literal=tls.crt="$(cat ca.pem)" --from-literal=tls.key="$(cat ca-key.pem)"
  3. Create a cert-manager issuer to sign CSRs in the namespace.

    cat  > ca-issuer.yaml <<EOF
    apiVersion: cert-manager.io/v1alpha2
    kind: Issuer
    metadata:
      name: ${KUBE_NAMESPACE}-ca-issuer
    spec:
      ca:
        secretName: cert-manager-ca
    EOF
    kubectl --namespace "${KUBE_NAMESPACE}" apply -f ca-issuer.yaml
  4. Install Fusion with the following parameters:

    helm install... --set global.tlsEnabled=true --set global.tlsIssuerRef=${KUBE_NAMESPACE}-ca-issuer