New to KubeDB? Please start here.
Weaviate TLS Encryption
Prerequisite: To configure TLS in Weaviate, KubeDB uses cert-manager to issue certificates. So first you have to make sure that the cluster has cert-manager installed. Install cert-manager in your cluster following the steps here.
To issue a certificate, the following CRDs of cert-manager are used:
Issuer/ClusterIssuer: Issuers and ClusterIssuers represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request. You can learn more details here.Certificate: cert-manager has the concept of Certificates that define a desired x509 certificate which will be renewed and kept up to date. You can learn more details here.
Weaviate CRD Specification:
KubeDB uses the following CRD fields to enable TLS encryption in Weaviate.
spec:tls:issuerRefcertificatesclientAuth
KubeDB uses the Issuer or ClusterIssuer referenced in the tls.issuerRef field to generate the certificate secrets. These certificate secrets (the server and client certificates, each holding ca.crt, tls.crt, and tls.key) are used to configure the Weaviate server. When TLS is enabled, the REST service is served over HTTPS on port 8443 (instead of plain HTTP on 8080).
Here,
issuerRefis a reference to theIssuerorClusterIssuerCR of cert-manager that will be used byKubeDBto generate the necessary certificates.apiGroupis the group name of the resource that is being referenced. Currently, the only supported value iscert-manager.io.kindis the type of resource that is being referenced.KubeDBsupports bothIssuerandClusterIssueras values for this field.nameis the name of the resource (IssuerorClusterIssuer) being referenced.
certificates(optional) is a list of additional certificate specifications used to configure the Weaviate server. You can specify customdnsNames,ipAddresses, andsubjectfor the certificates.clientAuth(optional) controls whether the REST HTTPS listener requires clients to present a valid client certificate (mutual TLS). When unset ortrue, client certificate authentication is enforced; set it tofalseto allow clients to connect without a client certificate.
How TLS Configures in Weaviate
Deploying Weaviate with TLS configuration consists of the following steps:
At first, a user creates an
Issuer/ClusterIssuerCR.Then the user creates a
WeaviateCR which refers to theIssuer/ClusterIssuerCR created in the previous step throughspec.tls.issuerRef.KubeDB-Provisioneroperator watches for theWeaviateCR.KubeDBOps-manager operator createsCertificateresources by using thetls.issuerRefandtls.certificatesspecification from theWeaviateCR.cert-managerwatches for the certificates and issues the certificate secrets (serverandclient) that hold the actual certificates signed by the CA.KubeDB-Provisioneroperator watches for the certificate secrets and configures theWeaviatePetSet so that the database serves traffic over TLS.
In the next doc, we are going to show a step-by-step guide on how to configure a Weaviate database with TLS.































