TLS communication
You can enable TLS communication for each component in the Pulsar cluster, or you can enable it only for specific components.
Each component has its own dedicated configuration section, but they’re all under the global.tls section.
Once the TLS setup is done, the operator updates the components configuration to use TLS.
To setup a zero-trust cluster with TLS, set enabled to true for each component:
global:
tls:
enabled: true
zookeeper:
enabled: true
secretName: zk-tls
bookkeeper:
enabled: true
secretName: bk-tls
autorecovery:
enabled: true
secretName: autorecovery-tls
proxy:
enabled: true
enabledWithBroker: true
secretName: proxy-tls
broker:
enabled: true
secretName: broker-tls
functionsWorker:
enabled: true
enabledWithBroker: true
secretName: fnw-tls|
Each component has its own secret name. |
The secret name is auto-provisioned by the operator using cert-manager. You can share the same certificate across multiple components, although it’s not a recommended practice for security reasons.
The secret must follow the cert-manager Certificate structure:
-
tls.crt: the certificate -
tls.key: the private key
apiVersion: v1
kind: Secret
metadata:
name: pulsar-tls
data:
tls.crt: <base64 encoded certificate>
tls.key: <base64 encoded key>The operator only needs to know the secret name. and it will automatically use it as-is. In some cases, like test clusters, you might wish to generate self-signed certificates. The operator integrates with cert-manager to generate a self-signed CA with all the needed certificates.
To enable certificate provisioning, configure it in the global.tls section.
global:
tls:
certProvisioner:
selfSigned:
enabled: true
perComponent: true
zookeeper:
generate: true
broker:
generate: true
bookkeeper:
generate: true
autorecovery:
generate: true
proxy:
generate: true
functionsWorker:
generate: trueThis will generate all the secrets needed by the components. The name of each secret is gathered from the configured secretName.
See the repository for examples:
