New to KubeDB? Please start here.
Reconfigure Weaviate TLS
This guide will give you an overview of how KubeDB Ops Manager reconfigures the TLS configuration of a Weaviate cluster — adding TLS, rotating certificates, updating the issuer, and removing TLS.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How Reconfigure TLS Process Works
Weaviate TLS uses cert-manager to issue the server and client certificates. The TLS configuration is referenced through spec.tls on the Weaviate object.
The reconfigure TLS process consists of the following steps:
The user creates a
WeaviateOpsRequestCR of typeReconfigureTLSreferencing theWeaviatedatabase. Thespec.tlsfield describes the desired change:- Add / Update TLS — provide
spec.tls.issuerRef(and optionallyclientAuth) to enable TLS or switch to a new issuer. - Rotate certificates — set
spec.tls.rotateCertificates: trueto re-issue the certificates. - Remove TLS — set
spec.tls.remove: trueto disable TLS.
- Add / Update TLS — provide
KubeDBOps Manager watches for theWeaviateOpsRequestCR and halts theWeaviateobject.For add/rotate/update operations, the Ops Manager creates or re-issues the
serverandclientcertificates through cert-manager and waits for them to be ready. For remove, it deletes the certificate references.The Ops Manager updates the PetSet and restarts the pods one by one so they pick up the new TLS configuration. When TLS is enabled, the REST service port switches from
8080(http) to8443(https); when removed, it switches back.After successfully reconfiguring TLS, the
KubeDBOps Manager resumes theWeaviateobject so that theKubeDBProvisioner operator resumes its usual operations.
In the next doc, we are going to show a step-by-step guide on reconfiguring TLS for a Weaviate cluster.































