Skip to content

Fix TLS configs in K8s #863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JakeSCahill merged 2 commits into from
Nov 19, 2024
Merged

Fix TLS configs in K8s #863

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c2ab92c
Fix TLS configs in K8s
JakeSCahill Nov 15, 2024
92e4e55
Apply suggestions from code review
JakeSCahill Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions modules/manage/pages/kubernetes/security/tls/k-cert-manager.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
:page-categories: Management, Security
:env-kubernetes: true

When using glossterm:cert-manager[] for TLS certificate management, you have the option to use a self-signed certificate or a certificate signed by a trusted certificate authority (CA). This topic provides instructions for each option.
When using glossterm:cert-manager[] for TLS certificate management, you can use a self-signed certificate or a certificate signed by a trusted certificate authority (CA). This topic provides instructions for each option.

Redpanda supports both TLS and mTLS:

- TLS, previously SSL, provides encryption for client-server communication. A server certificate prevents third parties from accessing data transferred between the client and server.
- TLS, previously SSL, provides encryption for client-server communication. A server certificate prevents third parties from accessing data transferred between the client and the server.

- mTLS, or mutual TLS, is a protocol that authenticates both the server and the client. In addition to the server certificate required in TLS, mTLS also requires the client to give a certificate. mTLS is useful for environments that require additional security and only have a small number of verified clients.

Expand Down Expand Up @@ -44,7 +44,7 @@ By default, the Redpanda Helm chart uses cert-manager to generate four Certifica

|===

For each Certificate resource, a corresponding Secret resource exists, which contains the TLS files.
A corresponding Secret resource exists for each Certificate resource. The Secret contains the TLS files.

Having separate self-signed certificates for internal and external connections provides security isolation.
If an external certificate or its corresponding private key is compromised,
Expand Down Expand Up @@ -271,7 +271,7 @@ Helm::
tls:
enabled: true
certs:
default:
external:
issuerRef:
name: <issuer-name>
kind: <issuer>
Expand All @@ -290,9 +290,9 @@ helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --crea
```bash
helm upgrade --install redpanda redpanda/redpanda --namespace <namespace> --create-namespace \
--set tls.enabled=true \
--set tls.certs.default.issuerRef.name=<issuer-name> \
--set tls.certs.default.issuerRef.kind=<issuer> \
--set tls.certs.default.caEnabled=false \
--set tls.certs.external.issuerRef.name=<issuer-name> \
--set tls.certs.external.issuerRef.kind=<issuer> \
--set tls.certs.external.caEnabled=false \
--set external.domain=<custom-domain>
```
====
Expand Down Expand Up @@ -438,4 +438,4 @@ include::shared:partial$suggested-reading.adoc[]

* https://killercoda.com/redpanda/scenario/redpanda-k8s-secure[Securing Redpanda in Kubernetes (Day 2 Ops)^]
* xref:reference:k-redpanda-helm-spec.adoc#external[Redpanda Helm Specification]
* xref:reference:k-crd.adoc[Redpanda CRD Reference]
* xref:reference:k-crd.adoc[Redpanda CRD Reference]