Skip to main content
Version: 22.3

Configure TLS in Kubernetes

Redpanda supports Transport Layer Security (TLS) encryption in Kubernetes. For certificate management, the Redpanda Helm chart uses cert-manager with either a self-signed Issuer or your own custom Issuer.

note

This page uses the recommended Redpanda Helm chart for configuring TLS. For information about using the redpanda-operator Helm chart (supported for backward compatibility), see Redpanda Operator.

Use self-signed Issuer​

By default, the Redpanda Helm chart uses cert-manager to create self-signed certificates. To enable TLS, enable it when installing or upgrading Redpanda with the Helm chart.

See Artifact Hub for the default values.

Prerequisites​

Install cert-manager:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--set installCRDs=true \
--namespace cert-manager \
--create-namespace

Enable TLS​

You can enable TLS in the Redpanda Helm chart using either command line flags or a YAML file to override default values.

During install or upgrade, enable TLS configuration:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
--set tls.enabled=true --set external.domain=mydomain.dom

Validate connection​

Retrieve the root certificate authority (CA) to use with clients:

kubectl -n redpanda get secret redpanda-default-root-certificate -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt

Use that root CA to validate your connection to Redpanda:

rpk topic list --tls-enabled --tls-truststore=ca.crt ...

Use custom Issuer​

You can use your own Issuer or ClusterIssuer to take advantage of an ACME certificate provider like Let's Encrypt or to use an intermediate CA.

Prerequisites​

You must have a cert-manager Issuer in the Redpanda namespace or ClusterIssuer in your cluster.

See the cert-manager documentation for details.

Enable TLS​

Create a YAML file containing the values to override the defaults.

tls-enable.yaml
tls:
enable: true
certs:
default:
issuerRef:
name: my-custom-issuer
kind: ClusterIssuer
external:
domain: mydomain.dom

During install or upgrade, reference the TLS configuration values file:

helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
--values tls-enable.yaml

What do you like about this doc?




Optional: Share your email address if we can contact you about your feedback.

Let us know what we do well: