New to KubeDB? Please start here.
Milvus TLS/SSL Encryption
KubeDB supports providing TLS/SSL encryption for Milvus. This guide will give you an overview of how it works.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How TLS/SSL Configures in Milvus
KubeDB uses cert-manager to provision and manage the certificates used by Milvus. You point the database at a cert-manager Issuer or ClusterIssuer through spec.tls.issuerRef, and KubeDB requests the required certificates on your behalf.
spec:
tls:
issuerRef:
name: milvus-issuer
kind: Issuer
apiGroup: "cert-manager.io"
external:
mode: mTLS
internal:
mode: TLS
certificates:
- alias: server
- alias: client
spec.tls.issuerRefreferences the cert-managerIssuer/ClusterIssuerthat signs the certificates.spec.tls.externalcontrols client-facing traffic.modecan beDisabled,TLS(server-side only) ormTLS(mutual TLS — clients must present a certificate).spec.tls.internalcontrols inter-component traffic between Milvus roles.modecan beDisabledorTLS.spec.tls.certificateslets you customize the two certificate aliases used by Milvus:server— the server certificate, stored in the<db>-server-certsecret.client— the client certificate, stored in the<db>-client-certsecret.
When TLS is enabled, KubeDB:
- Requests the
serverandclientcertificates from cert-manager. - Mounts them, together with the CA, into every Milvus pod at
/milvus/tls(ca.pem,server.pem,server.key,client.pem,client.key). - Renders the appropriate
internaltls,tlsModeandcommon.securitysettings intomilvus.yaml. - Sets the connection scheme in the
AppBindingtohttps.
In the next doc, we will see a step-by-step guide on deploying a TLS-secured Milvus database.































