StreamNative Platform supports enabling TLS with AWS Certificate Manager (ACM). When you want to perform TLS termination at the load balancer, you can use certificates with ACM. ACM handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.The load balancer offloads traffic to the backend service via TCP protocols.
One load balancer for Pulsar proxy with ports 6651/443
The DNS name is data.pulsar.example.local
One load balancer for nginx ingress controller with port 443
The DNS name is admin.pulsar.example.local
One load balancer for istio ingress( to KoP brokers ) with port 9093
The DNS name is messaging.pulsar.example.local
Enabling TLS with ACM is not applicable to KoP, since KoP needs TLS Server Name Indication (SNI) to route traffic that requires TLS termination on the broker side rather than the load balancer side.
To use certificates with ACM, complete the following steps.
In the YAML file, enable domain, configure the annotations, and use the ARN obtained above as shown.
Copy
Ask AI
tls: enabled: false proxy: enabled: false# Domain requested from External DNSdomain: enabled: true suffix: pulsar.example.local# Ingresses for exposing Pulsar servicesingress: proxy: enabled: true external_domain: data.pulsar.example.local type: LoadBalancer tls: enabled: true annotations: external-dns.alpha.kubernetes.io/hostname: 'data.pulsar.example.local' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-ssl-cert: '[ARN OF THE CERT]' # Enable this if the service is only accessed from the Amazon Virtual Private Cloud (Amazon VPC). #service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 extraSpec: externalTrafficPolicy: Local# Ingresses for exposing monitoring/management services publiclycontroller: enabled: true annotations: external-dns.alpha.kubernetes.io/hostname: 'admin.pulsar.example.local' service.beta.kubernetes.io/aws-load-balancer-ssl-cert: '[ARN OF THE CERT]' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' extraSpec: externalTrafficPolicy: Local # flag whether to terminate the tls at the loadbalancer level tls: termination: truecontrol_center: enabled: true tls: enabled: true # Set external domain for the load balancer of the ingress controller external_domain: admin.pulsar.example.local external_domain_scheme: https://