Configuring TLS on Kubernetes

Redpanda supports Transport Layer Security (TLS) encryption on Kubernetes. For certificate management, the Redpanda Helm chart uses cert-manager with either a self-signed Issuer or your own custom Issuer.

This page uses the recommended redpanda Helm chart for configuring TLS. For information about using the redpanda-operator Helm chart (supported for backward compatibility), see Redpanda Operator.

Use self-signed Issuer

By default, the Redpanda Helm chart uses cert-manager to create self-signed certificates. To enable TLS, enable it when installing or upgrading Redpanda with the Helm chart.

See Artifact Hub for the default values.

Prerequisites

Install cert-manager:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
    --set installCRDs=true \
    --namespace cert-manager \
    --create-namespace

Enable TLS

You can enable TLS in the Redpanda Helm chart using either command line flags or a YAML file to override default values.

CLI flags
YAML values

During install or upgrade, enable TLS configuration:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
  --set tls.enable=true --set external.domain=mydomain.dom

Create a YAML file containing the values to override from the defaults.

tls_enable.yaml

tls:
  enable: true
external:
  domain: mydomain.dom

During install or upgrade, reference the TLS configuration values file:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
  --values tls_enable.yaml

You can repeat the values flag, allowing you to keep individual value overrides logically separated by file.

Validate connection

Retrieve the root certificate authority (CA) to use with clients:

kubectl -n redpanda get secret redpanda-default-root-certificate -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt

Use that root CA to validate your connection to Redpanda:

rpk topic list --tls-enabled --tls-truststore=ca.crt ...

Use custom Issuer

You can use your own Issuer or ClusterIssuer to take advantage of an ACME certificate provider like Let’s Encrypt or to use an intermediate CA.

Prerequisites

You must have a cert-manager Issuer in the Redpanda namespace or ClusterIssuer in your cluster.

See the cert-manager documentation for details.

Enable TLS

Create a YAML file containing the values to override the defaults.

tls_enable.yaml

tls:
  enable: true
  certs:
    default:
      issuerRef:
        name: my-custom-issuer
        kind: ClusterIssuer
external:
  domain: mydomain.dom

During install or upgrade, reference the TLS configuration values file:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
  --values tls_enable.yaml

Was this helpful?

Ask in the community

Share your feedback

Make a contribution

What do you like about this doc?

Let us know what we do well:

Let us contact you about your feedback:

What did you not like about this doc?

Let us know what we can improve:

Let us contact you about your feedback:

Configuring TLS on Kubernetes

Use self-signed Issuer

Prerequisites

Enable TLS

Validate connection

Use custom Issuer

Prerequisites

Enable TLS

Simple online edits

Contribution guide