You can enable TLS communication for each component in the Pulsar cluster, or you can enable it only for specific components.
Each component has its own dedicated configuration section, but they’re all under the
Once the TLS setup is done, the operator updates the components configuration to use TLS.
To setup a zero-trust cluster with TLS, set
true for each component:
global: tls: enabled: true zookeeper: enabled: true secretName: zk-tls bookkeeper: enabled: true secretName: bk-tls autorecovery: enabled: true secretName: autorecovery-tls proxy: enabled: true enabledWithBroker: true secretName: proxy-tls broker: enabled: true secretName: broker-tls functionsWorker: enabled: true enabledWithBroker: true secretName: fnw-tls
Each component has its own secret name.
The secret name is auto-provisioned by the operator using
cert-manager. You can share the same certificate across multiple components, although it’s not a recommended practice for security reasons.
The secret must follow the cert-manager Certificate structure:
tls.crt: the certificate
tls.key: the private key
apiVersion: v1 kind: Secret metadata: name: pulsar-tls data: tls.crt: <base64 encoded certificate> tls.key: <base64 encoded key>
The operator only needs to know the secret name. and it will automatically use it as-is. In some cases, like test clusters, you might wish to generate self-signed certificates. The operator integrates with cert-manager to generate a self-signed CA with all the needed certificates.
To enable certificate provisioning, configure it in the
global: tls: certProvisioner: selfSigned: enabled: true perComponent: true zookeeper: generate: true broker: generate: true bookkeeper: generate: true autorecovery: generate: true proxy: generate: true functionsWorker: generate: true
This will generate all the secrets needed by the components. The name of each secret is gathered from the configured
See the repository for examples: