Encryption
In-Flight (TLS) Encryption
In-flight encryption for UltiHash can be configured on two different levels:
Internal Ingress object - part of the UltiHash deployment on Kubernetes
External load balancer - a proxy that fronts Kubernetes cluster and distributes traffic to its nodes
Configure TLS on the Ingress level
The Helm chart deploys UltiHash with a dedicated Ingress object by default. The object is located in the same namespace as the deployed UltiHash cluster and can be found by executing the command below (replace <namespace>
with the Kubernetes namespace where your UltiHash cluster is deployed):
kubectl get ingress -n <namespace>
The Ingress object can be configured in a custom way via Helm values:
entrypoint:
ingress:
# Make sure Ingress is enabled to expose UltiHash cluster outside your Kubernetes cluster
enabled: true
# Specify a domain name under which the UltiHash cluster will be accessible outside the Kubernetes cluster
host: example.domain.name
# Add annotations specific for your Ingress controller if required
annotations: {}
# Configure in-flight encryption by using TLS
tls: []
To enable TLS encryption at Ingress level perform the following actions:
register a domain name for UltiHash cluster in your private or public DNS server (for example
example.domain.name
)generate TLS private key and certificate bound to your registered domain name
create a Kubernetes secret in your UltiHash namespace with TLS credentials as shown here (assume the secret's name is
secret-tls
)enable the Ingress object using your domain name and the corresponding TLS secret in the helm values:
entrypoint:
ingress:
enabled: true
host: example.domain.name
annotations: {}
tls:
- hosts:
- example.domain.name
secretName: secret-tls
Configure TLS encryption on the external load balancer level
The TLS configuration for an external load balancer heavily depends on the type of the used load balancer. Please refer to the documentation of your load balancer.
This guide shows the TLS configuration for a network load balancer on AWS (the recommended load balancer type to use on AWS for higher performance).
In the case of Nginx Inress controller on AWS EKS cluster, here is an example of a network load balancer configuration with TLS. To provision a network load balancer automatically, the AWS load balancer controller has to be installed in advance. Modify the helm values of the Nginx Ingress controller's helm chart in the following way:
controller:
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-name: nlb-name # Specify the name for the load balancer
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing # Specify the scheme for the load balancer (internal or internet-facing)
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: 10254
service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-xxxx, mySubnet # Specify the subnet IDs or name in which the load balancer has to be provisioned
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:3223213123233:certificate/c6a3ff73-3eb8-4e72-9e68-2dsa4cce549c # Specify ARN of the ACM certificate (has to be provisioned in advance)
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
Encryption at Rest
The configuration of at-rest encryption for UltiHash cluster depends on the CSI driver used on your Kubernetes cluster. Please refer to the documentation of your CSI driver.
The example below shows how to enable encryption at rest for data stored in UltiHash in the case of AWS EBS CSI driver. The driver has to be installed in advance before deploying UltiHash cluster, please follow the official guide. After the EBS CSI driver is installed, provision a storage class on your Kubernetes cluster with the configuration as shown below:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: example-storage # Specify a name for the storage class
parameters:
encrypted: "true" # Enable the CSI driver to encrypt the EBS volumes it provisions
type: gp3 # Select the required type of EBS volumes to provision ('gp2', 'gp3', 'io1', or other)
# kmsKeyID: "" # (optional): specify the KMS key to encrypt the provisioned EBS volumes. If omitted, the AWS-managed KMS key will be used
provisioner: ebs.csi.aws.com
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
To enable UltiHash cluster using the storage class above, specify it in the helm values of the UltiHash helm chart:
etcd:
persistence:
storageClass: example-storage
database:
primary:
persistence:
storageClass: example-storage
storage:
storageClass: example-storage
deduplicator:
storageClass: example-storage
Last updated
Was this helpful?