- Operating StreamNative Platform
Enable TLS on load balancer
StreamNative Platform supports enabling TLS with AWS Certificate Manager (ACM). When you want to perform TLS termination at the load balancer, you can use certificates with ACM. ACM handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.
The load balancer offloads traffic to the backend service via TCP protocols.
- One load balancer for Pulsar proxy with ports
6651/443
- The DNS name is
data.pulsar.example.local
- The DNS name is
- One load balancer for nginx ingress controller with port
443
- The DNS name is
admin.pulsar.example.local
- The DNS name is
- One load balancer for istio ingress( to KoP brokers ) with port
9093
- The DNS name is
messaging.pulsar.example.local
- The DNS name is
Note
Enabling TLS with ACM is not applicable to KoP, since KoP needs TLS Server Name Indication (SNI) to route traffic that requires TLS termination on the broker side rather than the load balancer side.
To use certificates with ACM, complete the following steps.
Request a public certificate from ACM for the following domain names, and get the Amazon Resource Names (ARNs) for the certificate.
*.pulsar.example.local
In the YAML file, enable domain, configure the annotations, and use the ARN obtained above as shown.
tls: enabled: false proxy: enabled: false # Domain requested from External DNS domain: enabled: true suffix: pulsar.example.local # Ingresses for exposing Pulsar services ingress: proxy: enabled: true external_domain: data.pulsar.example.local type: LoadBalancer tls: enabled: true annotations: external-dns.alpha.kubernetes.io/hostname: 'data.pulsar.example.local' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-ssl-cert: '[ARN OF THE CERT]' # Enable this if the service is only accessed from the Amazon Virtual Private Cloud (Amazon VPC). #service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 extraSpec: externalTrafficPolicy: Local # Ingresses for exposing monitoring/management services publicly controller: enabled: true annotations: external-dns.alpha.kubernetes.io/hostname: 'admin.pulsar.example.local' service.beta.kubernetes.io/aws-load-balancer-ssl-cert: '[ARN OF THE CERT]' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' extraSpec: externalTrafficPolicy: Local # flag whether to terminate the tls at the loadbalancer level tls: termination: true control_center: enabled: true tls: enabled: true # Set external domain for the load balancer of the ingress controller external_domain: admin.pulsar.example.local external_domain_scheme: https://
Apply the changes by restarting the Pulsar proxy.
helm upgrade -f /path/to/your/file.yaml <release_name> streamnative/sn-platform -n <k8s_namespace>