Summary
This article describes the steps to enable wire encryption for Web UI traffic, on a Kubernetes based cluster using the Dremio provided helm charts.
Reported Issue
This is to add encryption to the Web UI traffic across the network, making this more secure.
Overview
The steps below are a step by step guide to encrypt the Web UI traffic.
Relevant Versions Tools and Integrations
All Kubernetes releases of Dremio that use Helm charts to manage the configuration. The below steps were taken using V2 of the helm charts.
Steps to Resolve
1) Obtain or generate a key (.pem) and certificate (.crt). Below is an example following default options when prompted.
$ openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key
....
2) Create a secret with the key and certificate. This example is creating a secret with the name dremio-tls-secret-ui, tying this in with Web UI encryption.
$ kubectl create secret tls dremio-tls-secret-ui --key example.key --cert example.crt
secret/dremio-tls-secret-ui created
3) Update values.yaml to enable SSL and specify the secret to use. The example shows the change to port:, enabled: and secret: values.
# Web UI
web:
port: 443
tls:
# To enable TLS for the web UI, set the enabled flag to true and provide
# the appropriate Kubernetes TLS secret.
enabled:true
# To create a TLS secret, use the following command:
# kubectl create secret tls ${TLS_SECRET_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
secret: dremio-tls-secret-ui
4) Run a helm upgrade for the changes to take effect
$ helm upgrade rc-dremio .
Release "rc-dremio" has been upgraded. Happy Helming!
NAME: rc-dremio
LAST DEPLOYED: Mon Mar 14 09:48:11 2022
NAMESPACE: default
STATUS: deployed
REVISION: 4
TEST SUITE: None
5) Check port 443 is open
$ kubectl get services dremio-client
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dremio-client LoadBalancer 10.100.145.155 afa9b57823a8d4f32b0fde65191da75b-812099760.eu-west-1.elb.amazonaws.com 31010:30242/TCP,443:31127/TCP,32010:31351/TCP 13h
6) Now point your browser to https://<url>:443 to access your encrypted Web UI.
Next Steps
No further steps required.
Additional Resources
Dremio Cloud Tools: https://github.com/dremio/dremio-cloud-tools
Wire Encryption: https://docs.dremio.com/software/security/encrypting-dremio/