Encryption

In-Flight (TLS) Encryption

In-flight encryption for UltiHash can be configured on two different levels:

Internal Ingress object - part of the UltiHash deployment on Kubernetes
External load balancer - a proxy that fronts Kubernetes cluster and distributes traffic to its nodes

Configure TLS on the Ingress level

The Helm chart deploys UltiHash with a dedicated Ingress object by default. The object is located in the same namespace as the deployed UltiHash cluster and can be found by executing the command below (replace <namespace> with the Kubernetes namespace where your UltiHash cluster is deployed):

kubectl get ingress -n <namespace>

The Ingress object can be configured in a custom way via Helm values:

entrypoint:
  ingress:
     # Make sure Ingress is enabled to expose UltiHash cluster outside your Kubernetes cluster
    enabled: true
     # Specify a domain name under which the UltiHash cluster will be accessible outside the Kubernetes cluster          
    host: example.domain.name
    # Add annotations specific for your Ingress controller if required          
    annotations: {} 
    # Configure in-flight encryption by using TLS    
    tls: []

To enable TLS encryption at Ingress level perform the following actions:

register a domain name for UltiHash cluster in your private or public DNS server (for example example.domain.name)
generate TLS private key and certificate bound to your registered domain name
create a Kubernetes secret in your UltiHash namespace with TLS credentials as shown here (assume the secret's name is secret-tls)
enable the Ingress object using your domain name and the corresponding TLS secret in the helm values:

entrypoint:
 ingress:
   enabled: true         
   host: example.domain.name       
   annotations: {}   
   tls:
    - hosts:
      - example.domain.name
      secretName: secret-tls

Configure TLS encryption on the external load balancer level

The TLS configuration for an external load balancer heavily depends on the type of the used load balancer. Please refer to the documentation of your load balancer.

This guide shows the TLS configuration for a network load balancer on AWS (the recommended load balancer type to use on AWS for higher performance).

In the case of Nginx Inress controller on AWS EKS cluster, here is an example of a network load balancer configuration with TLS. To provision a network load balancer automatically, the AWS load balancer controller has to be installed in advance. Modify the helm values of the Nginx Ingress controller's helm chart in the following way:

controller:
  service:
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-name: nlb-name                 # Specify the name for the load balancer
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing        # Specify the scheme for the load balancer (internal or internet-facing)
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254
      service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet # Specify the subnet IDs or name in which the load balancer has to be provisioned
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:3223213123233:certificate/c6a3ff73-3eb8-4e72-9e68-2dsa4cce549c # Specify ARN of the ACM certificate (has to be provisioned in advance)
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http

Encryption at Rest

The configuration of at-rest encryption for UltiHash cluster depends on the CSI driver used on your Kubernetes cluster. Please refer to the documentation of your CSI driver.

The example below shows how to enable encryption at rest for data stored in UltiHash in the case of AWS EBS CSI driver. The driver has to be installed in advance before deploying UltiHash cluster, please follow the official guide. After the EBS CSI driver is installed, provision a storage class on your Kubernetes cluster with the configuration as shown below:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
 name: example-storage   # Specify a name for the storage class        
parameters:
 encrypted: "true"       # Enable the CSI driver to encrypt the EBS volumes it provisions
 type: gp3               # Select the required type of EBS volumes to provision ('gp2', 'gp3', 'io1', or other)
 # kmsKeyID: ""          # (optional): specify the KMS key to encrypt the provisioned EBS volumes. If omitted, the AWS-managed KMS key will be used 
provisioner: ebs.csi.aws.com
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true

To enable UltiHash cluster using the storage class above, specify it in the helm values of the UltiHash helm chart:

etcd:
 persistence:
   storageClass: example-storage

database:
 primary:
   persistence:
     storageClass: example-storage

storage:
  storageClass: example-storage

deduplicator:
  storageClass: example-storage

Last updated 4 months ago

Was this helpful?

entrypoint: ingress: # Make sure Ingress is enabled to expose UltiHash cluster outside your Kubernetes cluster enabled: true # Specify a domain name under which the UltiHash cluster will be accessible outside the Kubernetes cluster host: example.domain.name # Add annotations specific for your Ingress controller if required annotations: {} # Configure in-flight encryption by using TLS tls: []

controller: service: type: LoadBalancer annotations: service.beta.kubernetes.io/aws-load-balancer-name: nlb-name # Specify the name for the load balancer service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing # Specify the scheme for the load balancer (internal or internet-facing) service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254 service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet # Specify the subnet IDs or name in which the load balancer has to be provisioned service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:3223213123233:certificate/c6a3ff73-3eb8-4e72-9e68-2dsa4cce549c # Specify ARN of the ACM certificate (has to be provisioned in advance) service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http

apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: example-storage # Specify a name for the storage class parameters: encrypted: "true" # Enable the CSI driver to encrypt the EBS volumes it provisions type: gp3 # Select the required type of EBS volumes to provision ('gp2', 'gp3', 'io1', or other) # kmsKeyID: "" # (optional): specify the KMS key to encrypt the provisioned EBS volumes. If omitted, the AWS-managed KMS key will be used provisioner: ebs.csi.aws.com reclaimPolicy: Delete volumeBindingMode: WaitForFirstConsumer allowVolumeExpansion: true

etcd: persistence: storageClass: example-storage database: primary: persistence: storageClass: example-storage storage: storageClass: example-storage deduplicator: storageClass: example-storage