You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeDB? Please start here.
Reconfiguring TLS of Milvus
This guide will give an overview on how KubeDB Ops-manager operator reconfigures TLS configuration i.e. add TLS, remove TLS, update issuer/cluster issuer and rotate the certificates of a Milvus database.
Before You Begin
- You should be familiar with the following
KubeDBconcepts:
How Reconfiguring Milvus TLS Configuration Process Works
A MilvusOpsRequest of type ReconfigureTLS drives every TLS change. Depending on which field you set in spec.tls, the operator performs one of four operations:
| Field | Operation |
|---|---|
spec.tls.issuerRef + spec.tls.external/spec.tls.internal | Add TLS to a non-TLS database (or update the protocol mode). |
spec.tls.rotateCertificates: true | Rotate the existing certificates (re-issue from the same issuer). |
spec.tls.issuerRef pointing at a new issuer | Change the issuer so future certificates chain to a different CA. |
spec.tls.remove: true | Remove TLS from the database. |
The high-level flow is:
- A user creates a
MilvusOpsRequestof typeReconfigureTLS. - The operator validates the request and pauses the referenced
Milvusdatabase. - cert-manager issues (or re-issues) the
serverandclientcertificates into the<db>-server-certand<db>-client-certsecrets, or those secrets are removed for a TLS-removal request. - The operator updates the rendered
milvus.yaml(internaltls/tlsMode/security) and the PetSets, mounting the certificates at/milvus/tls. - Pods are restarted to pick up the new TLS material.
- Once all pods are healthy, the operator resumes the database and marks the
MilvusOpsRequestasSuccessful.
Milvus TLS Layers
Milvus exposes two independent TLS surfaces, both configured under spec.tls:
external— controls client-facing traffic (gRPC on port19530and REST on port8080). Modes:Disabled,TLS(server-only) andmTLS(mutual — clients must present theclientcertificate).internal— controls inter-component traffic between Milvus roles. Modes:DisabledandTLS.
Certificates are described by aliases:
server— server certificate used by the database endpoints.client— client certificate (used by the database for mutual auth and mounted for client tooling).
In the next docs, we will see a step-by-step guide on reconfiguring TLS of a Milvus database using MilvusOpsRequest.































