New to KubeDB? Please start here.
Reconfigure Qdrant TLS (Transport Encryption)
KubeDB supports reconfiguring TLS certificates for Qdrant — adding, removing, updating, and rotating certificates via a QdrantOpsRequest. This tutorial will show you how to use KubeDB to reconfigure TLS encryption.
Before You Begin
At first, you need to have a Kubernetes cluster, and the
kubectlcommand-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.Install
cert-managerv1.0.0 or later to your cluster to manage your TLS certificates from here.Now, install
KubeDBin your cluster following the steps here.You should be familiar with the following
KubeDBconcepts:
To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial.
$ kubectl create ns demo
namespace/demo created
Note: YAML files used in this tutorial are stored in docs/examples/qdrant/reconfigure-tls directory of kubedb/docs repository.
Add TLS to a Qdrant database
Here, we are going to create a Qdrant database without TLS and then reconfigure the database to use TLS.
Deploy Qdrant without TLS
In this section, we are going to deploy a Qdrant cluster without TLS. Below is the YAML of the Qdrant CR that we are going to create:
apiVersion: kubedb.com/v1alpha2
kind: Qdrant
metadata:
name: qdrant-sample
namespace: demo
spec:
version: "1.17.0"
replicas: 3
storage:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
deletionPolicy: WipeOut
Let’s create the Qdrant CR we have shown above:
$ kubectl create -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/qdrant/reconfigure-tls/qdrant.yaml
qdrant.kubedb.com/qdrant-sample created
Now, wait until qdrant-sample has status Ready:
$ watch -n 3 kubectl get qdrant -n demo qdrant-sample
Every 3.0s: kubectl get qdrant -n demo qdrant-sample
NAME VERSION STATUS AGE
qdrant-sample 1.17.0 Ready 2m
Create Issuer
Now, we are going to create an example Issuer that will be used to enable TLS in Qdrant. Alternatively you can follow this cert-manager tutorial to create your own Issuer. By following the below steps, we are going to create our desired issuer,
- Start off by generating our ca-certificates using openssl,
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=qdrant/O=kubedb"
Generating a RSA private key
................+++++
........................+++++
writing new private key to './ca.key'
- Create a secret using the certificate files we have just generated,
$ kubectl create secret tls qdrant-ca --cert=ca.crt --key=ca.key --namespace=demo
secret/qdrant-ca created
- Now we are going to create an
Issuerusing theqdrant-casecret that contains the CA certificate we have just created:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: qdrant-issuer
namespace: demo
spec:
ca:
secretName: qdrant-ca
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/qdrant/reconfigure-tls/issuer.yaml
issuer.cert-manager.io/qdrant-issuer created
Add TLS
Now, we are going to create a QdrantOpsRequest to add TLS to the running database.
apiVersion: ops.kubedb.com/v1alpha1
kind: QdrantOpsRequest
metadata:
name: qdops-add-tls
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: qdrant-sample
tls:
issuerRef:
name: qdrant-issuer
kind: Issuer
apiGroup: "cert-manager.io"
certificates:
- alias: server
subject:
organizations:
- kubedb:server
dnsNames:
- localhost
ipAddresses:
- "127.0.0.1"
timeout: 5m
apply: IfReady
Here,
spec.databaseRef.namespecifies that we are performing reconfigure TLS operation onqdrant-sampledatabase.spec.typespecifies that we are performingReconfigureTLSon our database.spec.tls.issuerRefspecifies the issuer to use for signing certificates.spec.tls.certificatesspecifies the certificate configuration.spec.timeoutspecifies the timeout for the operation (learn more here).spec.applyspecifies when to apply the operation (learn more here).
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/qdrant/reconfigure-tls/add-tls.yaml
qdrantopsrequest.ops.kubedb.com/qdops-add-tls created
Let’s wait for QdrantOpsRequest to be Successful:
$ kubectl get qdrantopsrequest -n demo qdops-add-tls -w
NAME TYPE STATUS AGE
qdops-add-tls ReconfigureTLS Successful 111s
Verify the TLS secrets:
$ kubectl get secrets -n demo | grep qdrant-sample
qdrant-sample-auth Opaque 2 3m
qdrant-sample-client-cert kubernetes.io/tls 4 108s
qdrant-sample-server-cert kubernetes.io/tls 3 108s
$ kubectl describe secret -n demo qdrant-sample-client-cert
Name: qdrant-sample-client-cert
Namespace: demo
Labels: app.kubernetes.io/component=database
app.kubernetes.io/instance=qdrant-sample
app.kubernetes.io/managed-by=kubedb.com
app.kubernetes.io/name=qdrants.kubedb.com
controller.cert-manager.io/fao=true
Annotations: cert-manager.io/alt-names:
cert-manager.io/certificate-name: qdrant-sample-client-cert
cert-manager.io/common-name: qdrant
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-name: qdrant-issuer
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
ca.crt: 1151 bytes
tls-combined.pem: 2811 bytes
tls.crt: 1131 bytes
tls.key: 1679 bytes
Connect to the TLS-enabled database:
Extract the certificates:
kubectl get secret -n demo qdrant-sample-client-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
kubectl get secret -n demo qdrant-sample-client-cert -o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt
kubectl get secret -n demo qdrant-sample-client-cert -o jsonpath='{.data.tls\.key}' | base64 -d > tls.key
Get the API key:
$ kubectl get secret -n demo qdrant-sample-auth -o jsonpath='{.data.api-key}' | base64 -d
XEHmg7bc4grSjWlH
Port-forward and connect:
$ kubectl port-forward -n demo svc/qdrant-sample 6333:6333 &
Forwarding from 127.0.0.1:6333 -> 6333
$ curl --cacert ca.crt --cert tls.crt --key tls.key -H "api-key: XEHmg7bc4grSjWlH" \
'https://localhost:6333/collections'
{"result":{"collections":[]},"status":"ok","time":7.87e-6}
Rotate Certificates
Now we are going to rotate the certificates of the database.
apiVersion: ops.kubedb.com/v1alpha1
kind: QdrantOpsRequest
metadata:
name: qdops-rotate-tls
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: qdrant-sample
tls:
rotateCertificates: true
Here,
spec.tls.rotateCertificatesspecifies that we are requesting to rotate the certificates of theqdrant-sampledatabase.
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/qdrant/reconfigure-tls/rotate-tls.yaml
qdrantopsrequest.ops.kubedb.com/qdops-rotate-tls created
Let’s wait for QdrantOpsRequest to be Successful:
$ kubectl get qdrantopsrequest -n demo qdops-rotate-tls -w
NAME TYPE STATUS AGE
qdops-rotate-tls ReconfigureTLS Successful 101s
Remove TLS from the Database
In this section, we are going to reconfigure TLS setting of the database by removing the TLS configuration.
apiVersion: ops.kubedb.com/v1alpha1
kind: QdrantOpsRequest
metadata:
name: qdops-remove-tls
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: qdrant-sample
tls:
remove: true
Here,
spec.tls.removespecifies that we are removing the TLS configuration fromqdrant-sampledatabase.
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/qdrant/reconfigure-tls/remove-tls.yaml
qdrantopsrequest.ops.kubedb.com/qdops-remove-tls created
Let’s wait for QdrantOpsRequest to be Successful:
$ kubectl get qdrantopsrequest -n demo qdops-remove-tls -w
NAME TYPE STATUS AGE
qdops-remove-tls ReconfigureTLS Successful 3m
Verify that TLS has been removed:
$ kubectl get qdrant -n demo qdrant-sample -o yaml | grep tls
No TLS fields should appear in the output.
Next Steps
- Learn about backup and restore Qdrant using KubeStash.
- Detail concepts of Qdrant object.
- Want to hack on KubeDB? Check our contribution guidelines.
Cleaning up
To clean up the Kubernetes resources created by this tutorial, run:
kubectl delete qdrantopsrequest -n demo qdops-add-tls qdops-rotate-tls qdops-remove-tls
kubectl delete qdrant -n demo qdrant-sample
kubectl delete issuer -n demo qdrant-issuer
kubectl delete ns demo