Enable TLS
Adding a Certificate
Hydrolix provides multiple ways to manage certificates on your cluster. You can:
- generate and manage the certificate entirely within Hydrolix
- upload your own certificate to your cluster
Native port change from 9000 to 9440
When TLS is enabled, the native clickhouse interface listens on port 9440.
You should use TLS when communicating with Hydrolix endpoints. The traefik
component manages TLS. By default, Hydrolix uses a self signed certificate.
If you want to use cert-manager
to generate and manage certificates for you, see Add a Custom Certificate .
To enable TLS, update the protocol section of the hydrolix_url
component to https
in your hydrolixcluster.yaml
configuration file:
.......
hydrolix_url: https://demo.hydrolix.net -> Will force Hydrolix cluster to use TLS
hydrolix_url: http://demo.hydrolix.net -> Will force Hydrolix cluster to use plain HTTP.
......
Hydrolix-Generated Certificate
Hydrolix can handle TLS certificate generation for you.
You'll need:
- an active DNS record for your Hydrolix cluster's URL
- public access to the IP that hosts your cluster (for the certificate challenge).
Installation Steps
- Set the configuration option
acme_enabled
to true inhydrolixcluster.yaml
. - Load the configuration changes to your Hydrolix cluster. Hydrolix will automatically generate a certificate for your cluster and store it in a Kubernetes secret named
traefik-tls
.
If your cluster uses an allowlist, Hydrolix will add the Buypass ACME certificate provider IP address to the allowlist. If your cluster does not use an allowlist, Hydrolix uses the Let's Encrypt certificate provider.
Hydrolix refreshes the certificate weekly, but the certificate itself is valid for 90 days.
Confirming the Certificate Generation
The first step is to check a certificate is deployed, the following command will provide details of the certificate.
$ kubectl -n <namespace> get secret traefik-tls -o yaml
For example:
$ kubectl -n hydrolix get secret traefik-tls -o yaml
apiVersion: v1
data:
tls.crt: someCertificateData
tls.key: someCertificateData
kind: Secret
metadata:
creationTimestamp: "2023-06-27T15:27:12Z"
name: traefik-tls
namespace: hydrolix
resourceVersion: "32029846"
uid: 33c06aa2-b81f-44a9-9123-c24e1af94bb5
type: kubernetes.io/tls
When the acme_enabled is set to true you should find you have an init
job run in the cluster as well as a new cronjob
created.
To see that the init job has run you can run the following command.
$ kubectl -n <namespace> get job --field-selector status.successful=1 | grep acme
init-acme-509c50f0 1/1 21s 24h
Note: this may disappear if you've had the service running for a while. Successful job notifications are cleared down.
A Kubernetes cronjob is also created at startup. To check the cronjob
has been created you can run, a job called acme-renewal
should be created.
$ kubectl -n <namespace> get cronjob
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
acme-renewal 0 2 * * SUN False 0 <none> 24h
Certificate issues
If you find you have no Certificate deployed their can be various reasons. The certificate request process will re-try 6 times before halting. To check the status looking at the logs of the init-acme
job or acme
pods which will typically show where something has failed.
Some things to check include:
- AWS Specific Allowlist - If you have IP Allowlists enabled be aware that VPC security groups for the underlying AWS load-balancer can have a maximum of 60 rules. If this limit has been reached the IP's for the certificate renewal service will not be added to the Loadbalancer not allowing the http call back from the CA. A quick fix to this is to set the allowlist to
0.0.0.0/0
to get the certificate deployed. If this is not possible using an alternative method for certificates maybe needed - Route53 Certificates, Cloudflare Certificates, Google CloudDNS Certificates. - LetsEncrypt is busy - This is usually seen with a log line similar to the below, this is usually due to the number of requests going to the Letsencrypt service. To resolve it, it is best to wait for 30 minutes and re-start the service.
acme: error: 0 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Service busy; retry later., url:
- No Cronjob - if you see there is no cronjob listed it is likely the initial init-script has not been run. Follow the instructions below to re-run the init-job.
Restarting the Certificate Generation
To re-setup the certificate generation service you should
- Delete the
init-acme
job
$ kubectl -n <namespace> get jobs | grep init-acme
kubectl -n <namespace> delete job <job name>
- Delete the
cronjob
(if exsits)
$ kubectl -n <namespace> get cronjobs | grep acme-renewal
kubectl -n <namespace> delete cronjob acme-renewal
- Restart the operator
kubectl rollout restart deployment operator
Loading Your Own Certificate
To specify a certificate, load one with kubectl
:
kubectl create secret tls traefik-tls --key=certificates.key --cert=fullchain.pem
This creates a secret in Kubernetes called traefik-tls
and stores your certificate and private key in that secret. traefik
automatically checks for the traefik-tls
secret, and uses it if a valid configuration exists.
Certificate Chain Order
Kubernetes requires full chain certificates. Certificate chain should begin with your certificate, continue with intermediate certificates down the chain, and end with the root certificate:
-----BEGIN CERTIFICATE----- { Your issued Certificate } -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- { Intermediate Certificate } -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- { Root Certificate } -----END CERTIFICATE-----
To put your changes into effect, restart traefik
with the following command:
kubectl rollout restart deployment traefik
Renewing your own Certificate
Hydrolix Generated Certificates should be updated automatically
Hydrolix Generated Certificate is renewed automatically. If you are having issues with the renewal please reach out to Hydrolix Support
To renew a certificate:
- Delete the existing
traefik-tls
secret:kubectl delete secret traefik-tls
- Create a new
traefik-tls
secret containing the new certificate:kubectl create secret tls traefik-tls --key=privkey.pem --cert=fullchain.pem
- Restart
traefik
to put your changes into effect:kubectl rollout restart deployment traefik
Updated about 2 months ago