KubeDB

By AppsCode

CONTACT SALES
You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to KubeDB? Please start here.

Reconfigure Qdrant TLS (Transport Encryption)

KubeDB supports reconfiguring TLS certificates for Qdrant — adding, removing, updating, and rotating certificates via a QdrantOpsRequest. This tutorial will show you how to use KubeDB to reconfigure TLS encryption.

Before You Begin

  • At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.

  • Install cert-manager v1.0.0 or later to your cluster to manage your TLS certificates from here.

  • Now, install KubeDB in your cluster following the steps here.

  • You should be familiar with the following KubeDB concepts:

To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial.

$ kubectl create ns demo
namespace/demo created

Note: YAML files used in this tutorial are stored in docs/examples/qdrant/reconfigure-tls directory of kubedb/docs repository.

Add TLS to a Qdrant database

Here, we are going to create a Qdrant database without TLS and then reconfigure the database to use TLS.

Deploy Qdrant without TLS

In this section, we are going to deploy a Qdrant cluster without TLS. Below is the YAML of the Qdrant CR that we are going to create:

apiVersion: kubedb.com/v1alpha2
kind: Qdrant
metadata:
  name: qdrant-sample
  namespace: demo
spec:
  version: "1.17.0"
  replicas: 3
  storage:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
  deletionPolicy: WipeOut

Let’s create the Qdrant CR we have shown above:

$ kubectl create -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/qdrant/reconfigure-tls/qdrant.yaml
qdrant.kubedb.com/qdrant-sample created

Now, wait until qdrant-sample has status Ready:

$ watch -n 3 kubectl get qdrant -n demo qdrant-sample
Every 3.0s: kubectl get qdrant -n demo qdrant-sample

NAME             VERSION   STATUS   AGE
qdrant-sample    1.17.0    Ready    2m

Create Issuer

Now, we are going to create an example Issuer that will be used to enable TLS in Qdrant. Alternatively you can follow this cert-manager tutorial to create your own Issuer. By following the below steps, we are going to create our desired issuer,

  1. Start off by generating our ca-certificates using openssl,
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=qdrant/O=kubedb"
Generating a RSA private key
................+++++
........................+++++
writing new private key to './ca.key'
  1. Create a secret using the certificate files we have just generated,
$ kubectl create secret tls qdrant-ca --cert=ca.crt  --key=ca.key --namespace=demo
secret/qdrant-ca created
  1. Now we are going to create an Issuer using the qdrant-ca secret that contains the CA certificate we have just created:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: qdrant-issuer
  namespace: demo
spec:
  ca:
    secretName: qdrant-ca

$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/qdrant/reconfigure-tls/issuer.yaml
issuer.cert-manager.io/qdrant-issuer created

Add TLS

Now, we are going to create a QdrantOpsRequest to add TLS to the running database.

apiVersion: ops.kubedb.com/v1alpha1
kind: QdrantOpsRequest
metadata:
  name: qdops-add-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  databaseRef:
    name: qdrant-sample
  tls:
    issuerRef:
      name: qdrant-issuer
      kind: Issuer
      apiGroup: "cert-manager.io"
    certificates:
    - alias: server
      subject:
        organizations:
        - kubedb:server
      dnsNames:
      - localhost
      ipAddresses:
      - "127.0.0.1"
  timeout: 5m
  apply: IfReady

Here,

  • spec.databaseRef.name specifies that we are performing reconfigure TLS operation on qdrant-sample database.
  • spec.type specifies that we are performing ReconfigureTLS on our database.
  • spec.tls.issuerRef specifies the issuer to use for signing certificates.
  • spec.tls.certificates specifies the certificate configuration.
  • spec.timeout specifies the timeout for the operation (learn more here).
  • spec.apply specifies when to apply the operation (learn more here).
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/qdrant/reconfigure-tls/add-tls.yaml
qdrantopsrequest.ops.kubedb.com/qdops-add-tls created

Let’s wait for QdrantOpsRequest to be Successful:

$ kubectl get qdrantopsrequest -n demo qdops-add-tls -w
NAME            TYPE             STATUS       AGE
qdops-add-tls   ReconfigureTLS   Successful   111s

Verify the TLS secrets:

$ kubectl get secrets -n demo | grep qdrant-sample
qdrant-sample-auth                 Opaque                     2      3m
qdrant-sample-client-cert          kubernetes.io/tls          4      108s
qdrant-sample-server-cert          kubernetes.io/tls          3      108s

$ kubectl describe secret -n demo qdrant-sample-client-cert
Name:         qdrant-sample-client-cert
Namespace:    demo
Labels:       app.kubernetes.io/component=database
              app.kubernetes.io/instance=qdrant-sample
              app.kubernetes.io/managed-by=kubedb.com
              app.kubernetes.io/name=qdrants.kubedb.com
              controller.cert-manager.io/fao=true
Annotations:  cert-manager.io/alt-names:
              cert-manager.io/certificate-name: qdrant-sample-client-cert
              cert-manager.io/common-name: qdrant
              cert-manager.io/ip-sans:
              cert-manager.io/issuer-group: cert-manager.io
              cert-manager.io/issuer-kind: Issuer
              cert-manager.io/issuer-name: qdrant-issuer
              cert-manager.io/uri-sans:

Type:  kubernetes.io/tls

Data
====
ca.crt:            1151 bytes
tls-combined.pem:  2811 bytes
tls.crt:           1131 bytes
tls.key:           1679 bytes

Connect to the TLS-enabled database:

Extract the certificates:

kubectl get secret -n demo qdrant-sample-client-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
kubectl get secret -n demo qdrant-sample-client-cert -o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt
kubectl get secret -n demo qdrant-sample-client-cert -o jsonpath='{.data.tls\.key}' | base64 -d > tls.key

Get the API key:

$ kubectl get secret -n demo qdrant-sample-auth -o jsonpath='{.data.api-key}' | base64 -d
XEHmg7bc4grSjWlH

Port-forward and connect:

$ kubectl port-forward -n demo svc/qdrant-sample 6333:6333 &
Forwarding from 127.0.0.1:6333 -> 6333

$ curl --cacert ca.crt --cert tls.crt --key tls.key -H "api-key: XEHmg7bc4grSjWlH" \
  'https://localhost:6333/collections'
{"result":{"collections":[]},"status":"ok","time":7.87e-6}

Rotate Certificates

Now we are going to rotate the certificates of the database.

apiVersion: ops.kubedb.com/v1alpha1
kind: QdrantOpsRequest
metadata:
  name: qdops-rotate-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  databaseRef:
    name: qdrant-sample
  tls:
    rotateCertificates: true

Here,

  • spec.tls.rotateCertificates specifies that we are requesting to rotate the certificates of the qdrant-sample database.
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/qdrant/reconfigure-tls/rotate-tls.yaml
qdrantopsrequest.ops.kubedb.com/qdops-rotate-tls created

Let’s wait for QdrantOpsRequest to be Successful:

$ kubectl get qdrantopsrequest -n demo qdops-rotate-tls -w
NAME               TYPE             STATUS       AGE
qdops-rotate-tls   ReconfigureTLS   Successful   101s

Remove TLS from the Database

In this section, we are going to reconfigure TLS setting of the database by removing the TLS configuration.

apiVersion: ops.kubedb.com/v1alpha1
kind: QdrantOpsRequest
metadata:
  name: qdops-remove-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  databaseRef:
    name: qdrant-sample
  tls:
    remove: true

Here,

  • spec.tls.remove specifies that we are removing the TLS configuration from qdrant-sample database.
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.5-rc.1/docs/examples/qdrant/reconfigure-tls/remove-tls.yaml
qdrantopsrequest.ops.kubedb.com/qdops-remove-tls created

Let’s wait for QdrantOpsRequest to be Successful:

$ kubectl get qdrantopsrequest -n demo qdops-remove-tls -w
NAME               TYPE             STATUS       AGE
qdops-remove-tls   ReconfigureTLS   Successful   3m

Verify that TLS has been removed:

$ kubectl get qdrant -n demo qdrant-sample -o yaml | grep tls

No TLS fields should appear in the output.

Next Steps

Cleaning up

To clean up the Kubernetes resources created by this tutorial, run:

kubectl delete qdrantopsrequest -n demo qdops-add-tls qdops-rotate-tls qdops-remove-tls
kubectl delete qdrant -n demo qdrant-sample
kubectl delete issuer -n demo qdrant-issuer
kubectl delete ns demo

What's on this Page

Search
Improve This Page