New to KubeDB? Please start here.
Reconfiguring TLS of Milvus
This guide will give an overview on how KubeDB Ops-manager operator reconfigures TLS configuration i.e. add TLS, remove TLS, update issuer/cluster issuer and rotate the certificates of a Milvus database.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How Reconfiguring Milvus TLS Configuration Process Works
A MilvusOpsRequest of type ReconfigureTLS drives every TLS change. Depending on which field you set in spec.tls, the operator performs one of four operations:
| Field | Operation |
|---|---|
spec.tls.issuerRef + spec.tls.external/spec.tls.internal | Add TLS to a non-TLS database (or update the protocol mode). |
spec.tls.rotateCertificates: true | Rotate the existing certificates (re-issue from the same issuer). |
spec.tls.issuerRef pointing at a new issuer | Change the issuer so future certificates chain to a different CA. |
spec.tls.remove: true | Remove TLS from the database. |
The high-level flow is:
- A user creates a
MilvusOpsRequestof typeReconfigureTLS. - The operator validates the request and pauses the referenced
Milvusdatabase. - cert-manager issues (or re-issues) the
serverandclientcertificates into the<db>-server-certand<db>-client-certsecrets, or those secrets are removed for a TLS-removal request. - The operator updates the rendered
milvus.yaml(internaltls/tlsMode/security) and the PetSets, mounting the certificates at/milvus/tls. - Pods are restarted to pick up the new TLS material.
- Once all pods are healthy, the operator resumes the database and marks the
MilvusOpsRequestasSuccessful.
Milvus TLS Layers
Milvus exposes two independent TLS surfaces, both configured under spec.tls:
external— controls client-facing traffic (gRPC/REST on port19530). Modes:Disabled,TLS(server-only) andmTLS(mutual — clients must present theclientcertificate).internal— controls inter-component traffic between Milvus roles. Modes:DisabledandTLS.
Certificates are described by aliases:
server— server certificate used by the database endpoints.client— client certificate (used by the database for mutual auth and mounted for client tooling).
In the next docs, we will see a step-by-step guide on reconfiguring TLS of a Milvus database using MilvusOpsRequest.































