@Thulasidhar-Siva There are a variety of different ways to add TLS and some considerations. First some questions:
- Do you need TLS terminated on the endpoint (load balancer) to the client?
- Do you need TLS on the Dgraph Alpha service itself? Do you need MutualTLS?
- Do you need TLS to secure internal traffic as well, i.e. Zeroes and Alphas?
General TLS prerequisites
If you use a public certificate, you will need to have a registered domain or subdomain. In Kubernetes, you can use a Kubernetes add-on like external-dns to automatically add DNS records for Dgraph endpoints. This can configure AWS Route53, Google CloudDNS, and many others. Otherwise, you can use a private certificate.
TLS terminated at the endpoint
On Kubernetes, you can use certificate solutions from the cloud provider or use the Kubernetes add-on cert-manager.
- ACM (AWS Certificate Manager) - for use with either service type of
LoadBalancer
configured as Layer 7. - Google Cloud Managed SSL - for use with ingress resource using ingress type of
gce
. - cert-manager (Kubernetes add-on) for use with ingress resource
EndPoints with Kubernetes
For endpoints with Kubernetes, you want to use either service of LoadBalancer
type or an ingress. These can be used when configuring the option in a Dgraph helm chart configuration file, e.g. my-values.yaml
:
helm install my-release --values my-values.yaml dgraph/dgraph
You want to set alpha.service.type
to LoadBalancer
, which will provision a load balancer should your cloud provider supports it. This will have to be a Layer 7 load balancer to support certificates.
For example with AWS ELB, you can configure the load balancer to be Layer 7 by supplying the proper annotations to alpha.service.annotations
. On Google Cloud, layer 7 load balancers are only supported with an ingress.
For ingress examples, there are some examples in:
When configuring an endpoint, you will want to secure it. I presented some options for AWS (which will be similar to other cloud providers):
TLS added directly to Dgraph services
For instructions on securing the Dgraph Alpha service and examples, these are in the Helm Chart instructions for MutualTLS:
Here are some links for instructions and examples of configuring TLS for Dgraph Alpha service:
- Docs: https://dgraph.io/docs/deploy/tls-configuration/
- Dgraph helm chart instructions (mutualTLS): dgraph 0.3.0 · helm/dgraph
- Dgraph helm chart examples: charts/charts/dgraph/example_values at master · dgraph-io/charts · GitHub
Securing internal traffic
If you need all traffic, including internal traffic between Dgraph Alpha and Zero nodes, you can find instructions here:
- Docs: https://dgraph.io/docs/deploy/tls-configuration/#using-tls-with-internal-and-external-ports-encrypted
- Dgraph helm chart instructions: dgraph 0.3.0 · helm/dgraph
More examples with helmfile
I put all this together as an example using helmfile. The helmfile tool is useful in automating helm charts with dynamic values. You can find the example and instructions here: