Skip to main content

How to enable SSL on a Kubernetes cluster

  • Updated

Overview

This article describes the steps to enable wire encryption for Web UI traffic, on a Kubernetes based cluster using the Dremio provided helm charts. The same process can be used for other ports which need to be encrypted. A key step is to create a secret to store the certificate and key within kubernetes.

 

Applies To

All Dremio releases using Helm to manage the configuration. Tests below using V2 of the helm charts. 

 

Details

1) Obtain or generate a key (.pem) and certificate (.crt). Below is an example following default options when prompted. 

$ openssl req -newkey rsa:4096 \
-x509 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key
....

2) Create a secret with the key and certificate. This example is creating a secret with the name dremio-tls-secret-ui, tying this in with Web UI encryption. 

$ kubectl create secret tls dremio-tls-secret-ui --key example.key --cert example.crt
secret/dremio-tls-secret-ui created

3) Update values.yaml to enable SSL and specify the secret to use. The example shows the change to port:, enabled: and secret: values. 

# Web UI
web:
  port: 443
  tls:
  # To enable TLS for the web UI, set the enabled flag to true and provide
  # the appropriate Kubernetes TLS secret.
  enabled:true

  # To create a TLS secret, use the following command:
  # kubectl create secret tls ${TLS_SECRET_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
  secret: dremio-tls-secret-ui

4) Run a helm upgrade for the changes to take effect

$ helm upgrade rc-dremio .
Release "rc-dremio" has been upgraded. Happy Helming!
NAME: rc-dremio
LAST DEPLOYED: Mon Mar 14 09:48:11 2022
NAMESPACE: default
STATUS: deployed
REVISION: 4
TEST SUITE: None

5) Check port 443 is open

$ kubectl get services dremio-client
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dremio-client LoadBalancer 10.100.145.155 afa9b57823a8d4f32b0fde65191da75b-812099760.eu-west-1.elb.amazonaws.com 31010:30242/TCP,443:31127/TCP,32010:31351/TCP 13h

6) Now point your browser to https://<url>:443 to access your encrypted Web UI. 

 

Further Reading

Dremio Cloud Tools: https://github.com/dremio/dremio-cloud-tools

Wire Encryption: https://docs.dremio.com/software/security/encrypting-dremio/

 

 

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles