TLS - Deploy Memphis with TLS Connection to Metadata Frontend

The self-signed certificates generated in this section are intended for testing and development. In production environments, it is strongly recommended to use certificates issued by a trusted Certificate Authority (CA) for enhanced security.

Step 1: Generate Certificates

Begin by generating the necessary SSL certificates using OpenSSL:

openssl genrsa -des3 -passout pass:password -out ./client_tls.key
openssl rsa -in ./client_tls.key -passin pass:password -out ./client_tls.key
openssl req -new -key ./client_tls.key -out ./client_tls.csr -subj "/C=AU/ST=NSW/L=DY/O=MyOrg/OU=Dev/CN=postgres"
openssl x509 -req -in ./client_tls.csr -CA ./ca.crt -CAkey ./ca.key -out ./client_tls.crt -CAcreateserial

Step 2: Create a Secret with the Certificates

Next, create a Kubernetes secret that holds the SSL certificates:

kubectl create secret generic tls-secret \
--from-file=client_tls.crt \
--from-file=client_tls.key \
--from-file=ca.crt -n memphis

Step 3: Prepare the Metadata TLS Values File

Create a values file named metadata_tls.yaml with the following content:

metadata:
  pgpool:
    tls:
      enabled: true
      autoGenerated: false
      preferServerCiphers: true
      certificatesSecret: "tls-secret"
      certFilename: "client_tls.crt"
      certKeyFilename: "client_tls.key"
      certCAFilename: "ca.crt"

Step 4: Deploy Memphis with the Updated Values

Deploy Memphis with the newly created values file using Helm:

helm repo add memphis https://k8s.memphis.dev/charts/ --force-update
helm install -f metadata_tls.yaml memphis memphis/memphis --create-namespace --namespace memphis --wait

Last updated 5 months ago