Enabling Access & TLS

Each Hydrolix cluster can be configured to use different access restrictions and can have TLS enabled for secure communication. Access restrictions come in the form of IP allow-lists and Basic Authentication of end-point services (Streaming Ingest, Query End-points etc). TLS (Transport Layer Sercurity) can also be enabled to provide security of end-points (UI, Streaming Ingest, Query - native and HTTP etc).

Enable IP Access to your Cluster

Each new Hydrolix cluster is created with a network IP access restriction that limits connectivity to the cluster as a whole including the various end-points available (Ingest Streaming API, Query API). IP access restrictions are set directly in Kubernetes network policy.

For example to enable accessibility you can use the following command within hkt to generate the hydrolixcluster.yaml with public (0.0.0.0/0) access.

hkt hydrolix-cluster --db-bucket-url gs://hydrolix-demo --kubernetes-namespace hydrolix --hydrolix-url https://demo.hydrolix.net --admin-email [email protected] --ip-allowlist 0.0.0.0/0

This generates the following spec in the hydrolixcluster.yaml cluster configuration file:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
  name: hydrolix
  namespace: hydrolix
spec:
  admin_email: [email protected]
  db_bucket_url: gs://hydrolix-demo
  env: {}
  hydrolix_url: https://demo.hydrolix.net
  ip_allowlist:
  - 0.0.0.0/0
  kubernetes_namespace: hydrolix
  overcommit: false
  scale: {}
  scale_profile: minimal

It is possible to specify multiple CIDR blocks in the configuration, the ip_allowlist expects the following format within the configuration file.

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
  name: hydrolix
  namespace: hydrolix
spec:
  admin_email: [email protected]
  basic_auth:
  - version
  db_bucket_url: gs://hydrolix-demo
  env: {}
  hydrolix_url: https://demo.hydrolix.net
  ip_allowlist:
  - 23.235.32.0/20
  - 43.249.72.0/22
  - 103.244.50.0/24
  kubernetes_namespace: hydrolix
  overcommit: false
  scale: {}
  scale_profile: minimal

Enable TLS (optional)

The Hydrolix platform has the ability to use TLS in communicating with different service end-points including Query - native and http, HTTP Stream Ingest, Configuration API and the UI. When enabled TLS is managed via the Traefik component and by default will use a self signed certificate.

To enforce TLS, the protocol section of the hydrolix_url component should be updated to https the hydrolixcluster yaml configuration file.

.......

  hydrolix_url: https://demo.hydrolix.net -> Will force Hydrolix cluster to use TLS
  hydrolix_url: http://demo.hydrolix.net -> Will force Hydrolix cluster to use plain HTTP.

......

If you wish to use an alternative certificate, one can be loaded using the kubectl tool. Note that the Certificate chain has a specific order - seen below.

kubectl create secret tls traefik-tls --key=certificates.key --cert=fullchain.pem

🚧

Certificate Chains in Kubernetes

Kubernetes requires full chain certificates, the ordering requirement for the certificate chain with intermediate certificates is as follow:

-----BEGIN CERTIFICATE-----
{ Your issued Certificate }
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Intermediate Certificate}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Root Certificate}
-----END CERTIFICATE-----

Kubernetes will typically throw a certificate validation error if this is not done.

This will create a secret in Kubernetes where your certificate and your private key will be stored and used by traefik.

Once you have updated your configuration to enable TLS and you have added your certificates to Kubernetes you will need to restart traefik, to achieve this you can use the following command:

kubectl rollout restart deployment traefik

To renew a certificate the secret will need to be updated with the new certificate and key file. Once updated a restart of traefik is required, for example:

kubectl delete secret traefik-tls
kubectl create secret tls traefik-tls --key=privkey.pem --cert=fullchain.pem
kubectl rollout restart deployment traefik

🚧

Native port change from 9000 to 9440

Once you enabled TLS, the native clickhouse interface is listening on port 9440 by default

Enable Basic Authorization (optional)

For end-point security, Hydrolix offers the ability to use Basic Authorization for end-points. To enable Basic Authentication you will need to add basic_auth to the hydrolixcluster yaml configuration file listing the services it should apply to. The following end-points can use Basic Authentication:

Service

Description

stream-head

For HTTP based ingest on /ingest/events

prometheus

For HTTP query of the /prometheus service

version

For HTTP query on /version which displays the current deployed version

ui

For the Hydrolix web interface

validator

For HTTP query on /validator to test transform

query

For HTTP query endpoint /query/ (this is different than query authentication which leverages users rights).
Here it's just a basic authorization at the proxy level

📘

Config API

The configuration API uses its own authorisation mechanism using Bearer tokens more information on the Config API specification can be found here

For example, to add Basic Authentication on the version end-point the following would be added:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
    .............
spec:
  .........
  basic_auth:  <------ADD
  - version    <----- ADD
  ...........

By default Hydrolix generates a random password stored in kubernetes general secret. Secrets are stored base64 encoded, to retrieve the secret and decode it the following command can be used

kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo

📘

hydrolix default user

The username for Basic Authentication is hydrolix

For example:

curl -u hydrolix:p3I3J7wvERQeW6KcR1IF6Gg https://$hostname/version

Modifying the default secret

You can modify the default password by updating the kubernetes secret:

kubectl edit secrets general

You need to modify the variable TRAEFIK_PASSWORD and put your base64 encoded password.

Per Service credentials for Basic Auth.

Each Service end-point can have its own password within Basic Auth. To use per-service credentials, you can add entries to the curated secret.

The user-name for basic auth will be hydrolix-$SERVICE.

---
apiVersion: v1
kind: Secret
metadata:
  name: curated
  namespace: hdxcli-$clientid
stringData:
  TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque

In this example, the username would be hydrolix-stream-head and thepassword mousie-thou-art-no-thy-lane.
This is the list of service which support basic authorisation

🚧

Rollout restart traefik

After any modification to traefik (enable TLS, enable basic authorization, modify the secret) you need to restart traefik using:
kubectl rollout restart deployment traefik


Did this page help you?