TLS Authentication
This topic describes how to define secrets with TLS certificates for authentication over TLS.
Overview
The EGS supports TLS-based authentication for secure communication with Prometheus. This ensures that metrics are exchanged over an encrypted and authenticated channel.
info
- TLS authentication is applicable to EGS version 1.15.0 and later.
- TLS-based Prometheus authentication is supported only for ingress endpoints. It does not apply to other service types such as LoadBalancer, NodePort, or ClusterIP.
Prerequisites
Before you begin configuring TLS-based Prometheus authentication, ensure that you have the following prerequisites:
- You have a valid TLS certificate and private key. This certificate should be issued by a trusted Certificate Authority (CA).
- You have access to the controller cluster where the API Gateway is deployed.
Define Secrets with TLS Certificates
To define secrets with TLS certificates:
-
Create a YAML file called
secrets.yamlwith the following properties.apiVersion: v1
kind: Secret
metadata:
name: <cluster-name>-prometheus-cert # Replace <cluster-name> with the name of your worker cluster
namespace: <project-namespace> # Replace <project-namespace> with the namespace of your project
data:
ca.crt: <ca.crt base64 encoded> # Replace <ca.crt base64 encoded> with the base64-encoded value of your CA certificate
tls.crt: <client.crt base64 encoded> # Replace <client.crt base64 encoded> with the base64-encoded value of your TLS certificate
tls.key: <client.key base64 encoded> # Replace <client.key base64 encoded> with the base64-encoded value of your TLS private key -
Apply the
secrets.yamlfile to create the secrets on the controller cluster:kubectl apply -f secrets.yaml