Skip to main content
Version: 22.2

Configuring TLS on Kubernetes

Redpanda supports Transport Layer Security (TLS) encryption on Kubernetes. For certificate management, the Redpanda Helm chart uses cert-manager with either a self-signed Issuer or your own custom Issuer.


This page uses the recommended redpanda Helm chart for configuring TLS. For information about using the redpanda-operator Helm chart (supported for backward compatibility), see Redpanda Operator.

Use self-signed Issuer

By default, the Redpanda Helm chart uses cert-manager to create self-signed certificates. To enable TLS, enable it when installing or upgrading Redpanda with the Helm chart.

See Artifact Hub for the default values.


Install cert-manager:

helm repo add jetstack
helm repo update
helm install cert-manager jetstack/cert-manager \
--set installCRDs=true \
--namespace cert-manager \

Enable TLS

You can enable TLS in the Redpanda Helm chart using either command line flags or a YAML file to override default values.

During install or upgrade, enable TLS configuration:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
--set tls.enable=true --set external.domain=mydomain.dom

Validate connection

Retrieve the root certificate authority (CA) to use with clients:

kubectl -n redpanda get secret redpanda-default-root-certificate -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt

Use that root CA to validate your connection to Redpanda:

rpk topic list --tls-enabled --tls-truststore=ca.crt ...

Use custom Issuer

You can use your own Issuer or ClusterIssuer to take advantage of an ACME certificate provider like Let's Encrypt or to use an intermediate CA.


You must have a cert-manager Issuer in the Redpanda namespace or ClusterIssuer in your cluster.

See the cert-manager documentation for details.

Enable TLS

Create a YAML file containing the values to override the defaults.


enable: true
name: my-custom-issuer
kind: ClusterIssuer
domain: mydomain.dom

During install or upgrade, reference the TLS configuration values file:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
--values tls_enable.yaml

What do you like about this doc?

Optional: Share your email address if we can contact you about your feedback.

Let us know what we do well: