Enabling Access & TLS

Enable Access to your Cluster

Each new Hydrolix cluster is created with network IP access restrictions that limit connectivity to the systems end-points (Config API, Ingest Streaming API, Query API).

To enable public accessibility you can use the following command:

hkt hydrolix-cluster --ip-allowlist 0.0.0.0/0

This generates the following spec in the cluster configuration file:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
  name: hdxcli-$clientid
  namespace: hdxcli-$clientid
spec:
  admin_email: [email protected]
  client_id: hdxcli-$clientid
  cloud: gcp
  domain: company.com
  env:
    EMAIL_PASSWORD: TO_BE_PROVIDED
  host: hydrolix
  ip_allowlist:
  - source: 0.0.0.0/0
  owner: admin
  region: us-central1
  scale: {}
  scale_profile: minimal

If you would like to be a little more specific in which IP's you allow access to, you can specify CIDR groups that have access.

For example you can view all the services using:

kubectl get services

The following we recommend to change for access:

Service nameAllowed List
nativeClickhouse native interface over 9000 for plain TCP and 9440 for TLS
prometheusPrometheus remote read access on /prometheus
query-headHTTP interface for SQL query on /query
stream-headHTTP interface to ingest event on /ingest/events
turbine-apiHTTP Rest API endpoint to manage configuration
uiWeb interface
versionHTTP interface which output current version on /version

If you want to keep ingesting data from anywhere but limit UI access, query via HTTP and native protocol you can use the following configuration:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
  name: hdxcli-$clientid
  namespace: hdxcli-$clientid
spec:
  admin_email: [email protected]any.com
  client_id: hdxcli-$clientid
  cloud: gcp
  domain: company.com
  env:
    EMAIL_PASSWORD: TO_BE_PROVIDED
  host: hydrolix
  ip_allowlist:
  - source: 0.0.0.0/0
  - source: 104.248.bbb.xxx/32
    service: query-head
  - source: 81.133.aaa.yyy/32
    service: query-head
  - source: 104.248.bbb.xxx/32
    service: ui
  - source: 81.133.aaa.yyy/32
    service: ui
  owner: admin
  region: us-central1
  scale: {}
  scale_profile: minimal

This will allow everything by default as - source: 0.0.0.0/0 doesn't have services attached to it, then limit UI, query head to 2 IPs. You can list the different service and if you want multiple CIDR's block you can list those as sources.

Enable TLS (optional)

To enforce TLS, you need to use use_tls in the hydrolixcluster yaml configuration file. use_tls: true will enable TLS support in our traefik ingress component.

.......
            replicas: 2
    traefik:
      replicas: 2
  scale_profile: mega
  use_tls: true
status:
  kopf:
    progress: {}
......

By default traefik will use a self signed certificate, if you want to provide your own certificate you need to use the following command:

kubectl create secret tls traefik-tls --key=certificates.key --cert=fullchain.pem

🚧

Certificate Chains in Kubernetes

Kubernetes requires full chain certificates, the ordering requirement for the certificate chain with intermediate certificates is as follow:

-----BEGIN CERTIFICATE-----
{ Your issued Certificate }
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Intermediate Certificate}
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
{Root Certificate}
-----END CERTIFICATE-----

Kubernetes will typically throw a certificate validation error if this is not done.

This will create a secret in Kubernetes where your certificate and your private key will be stored and used by traefik.
Once you have updated your configuration to enable TLS and you have added your certificates in the Kubernetes secret you need to restart traefik:

kubectl rollout restart deployment traefik

To renew the certificates you need to update the secret with the new certificate and key file and restart traefik deployment:

kubectl delete secret traefik-tls
kubectl create secret tls traefik-tls --key=privkey.pem --cert=fullchain.pem
kubectl rollout restart deployment traefik

🚧

Native port change from 9000 to 9440

Once you enabled TLS, the native clickhouse interface is listening on port 9440 by default

The Final Step

You should have received an email that will now allow you to set a password and login. If you do not receive this email, please feel free to contact us at [email protected] and we'll happily assist you.


Did this page help you?