Documentation

Set up TLS in your InfluxDB cluster

Set up TLS in your InfluxDB cluster to ensure both incoming and outgoing data is encrypted and secure. We recommend using TLS to encrypt communication for the following:

  • Ingress to your cluster
  • Connection to your Object store
  • Connection to your Catalog (PostgreSQL-compatible) database

Set up ingress TLS

Kubernetes support many different ingress controllers, some of which provide simple mechanisms for creating and managing TLS certificates. If using the InfluxDB-defined ingress and the Nginx Ingress Controller, add a valid TLS Certificate to the cluster as a secret. Provide the paths to the TLS certificate file and key file:

kubectl create secret tls ingress-tls \
  --namespace influxdb \
  --cert 
TLS_CERT_PATH
\
--key
TLS_KEY_PATH

Replace the following:

  • TLS_CERT_PATH: Path to the certificate file on your local machine.
  • TLS_KEY_PATH: Path to the certificate secret key file on your local machine.

Provide the TLS certificate secret to the InfluxDB configuration in the Configure ingress step.

Configure ingress

Update your AppInstance resource to reference the secret that contains your TLS certificate and key. The examples below use the name ingress-tls.

  • If modifying the AppInstance resource directly, reference the TLS secret in the spec.package.spec.ingress.tlsSecretName property.
  • If using the InfluxDB Clustered Helm chart, reference the TLS secret in the ingress.tlsSecretName property in your values.yaml.

The tlsSecretName field is optional. You may want to use it if you already have a TLS certificate for your DNS name.

Use cert-manager and Let’s Encrypt to manage TLS certificates

apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
  package:
    spec:
      # ...
      ingress:
        hosts:
          - cluster-host.com
        tlsSecretName: ingress-tls
ingress:
  hosts:
    - cluster-host.com
  tlsSecretName: ingress-tls

Require HTTPS on the object store

Some object store providers allow unsecure connections when accessing the object store. Refer to your object store provider’s documentation for information about installing TLS certificates and ensuring all connections are secure.

If using AWS S3 or an S3-compatible object store, set following property in your AppInstance resources to false to disallow unsecure connections to your object store:

  • If modifying the AppIsntance resource directly:
    spec.package.spec.objectStore.s3.allowHttp
  • If using the InfluxDB Clustered Helm chart:
    objectStore.s3.allowHttp in your values.yaml
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
  package:
    spec:
      objectStore:
        s3:
          # ...
          allowHttp: 'false'
objectStore:
  s3:
    # ...
    allowHttp: 'false'

Require TLS on your catalog database

Refer to your PostreSQL-compatible database provider’s documentation for installing TLS certificates and ensuring secure connections.

If currently using an unsecure connection to your Catalog database, update your Catalog data source name (DSN) to remove the sslmode=disable query parameter:

postgres://username:passw0rd@mydomain:5432/influxdb?sslmode=disable

Provide a custom certificate authority bundle

InfluxDB attempts to make TLS connections to the services it depends on–notably, the Catalog and the Object store. InfluxDB validates certificates for all connections.

If you host dependent services yourself and you use a private or otherwise not well-known certificate authority to issue certificates to them, InfluxDB won’t recognize the issuer and can’t validate the certificates. To allow InfluxDB to validate the certificates from your custom CA, configure the AppInstance resource to use a PEM certificate bundle that contains your custom certificate authority chain.

  1. Use kubectl to create a config map that contains your PEM-formatted certificate bundle file. Your certificate authority administrator should provide you with a PEM-formatted bundle file.

    This PEM bundle file establishes a chain of trust for the external services that InfluxDB depends on. It’s not the certificate that InfluxDB uses to host its own TLS endpoints.

    In the example, replace /path/to/private_ca.pem with the path to your PEM-formatted certificate bundle file:

    kubectl --namespace influxdb create configmap custom-ca --from-file=certs.pem=/path/to/private_ca.pem
    

    Bundle multiple certificates

    You can append multiple certificates into the same bundle. This approach helps when you need to include intermediate certificates or explicitly include leaf certificates.

    Include certificates in the bundle in the following order:

    1. Leaf certificates
    2. Intermediate certificates required by leaf certificates
    3. Root certificate
  2. Update your AppInstance resource to refer to the custom-ca config map.

    • If modifying the AppInstance resource directly:
      Add the config map to the .spec.package.spec.egress property.
    • If using the InfluxDB Clustered Helm chart:
      Set useCustomEgress to true and update the egress property to refer to the config map.
    apiVersion: kubecfg.dev/v1alpha1
    kind: AppInstance
    # ...
    spec:
      package:
        spec:
          egress:
            customCertificates:
              valueFrom:
                configMapKeyRef:
                  key: ca.pem
                  name: custom-ca
    
    useCustomEgress: true
    egress:
      customCertificates:
        valueFrom:
          configMapKeyRef:
            key: ca.pem
            name: custom-ca
    

Apply the changes to your cluster

Use kubectl or helm (if using the InfluxDB Clustered Helm chart), to apply the configuration changes to your cluster:

kubectl apply \
  --filename myinfluxdb.yml \
  --namespace influxdb
helm upgrade \
  influxdata/influxdb3-clustered \
  -f ./values.yml \
  --namespace influxdb

Was this page helpful?

Thank you for your feedback!


The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

InfluxDB v3 enhancements and InfluxDB Clustered is now generally available

New capabilities, including faster query performance and management tooling advance the InfluxDB v3 product line. InfluxDB Clustered is now generally available.

InfluxDB v3 performance and features

The InfluxDB v3 product line has seen significant enhancements in query performance and has made new management tooling available. These enhancements include an operational dashboard to monitor the health of your InfluxDB cluster, single sign-on (SSO) support in InfluxDB Cloud Dedicated, and new management APIs for tokens and databases.

Learn about the new v3 enhancements


InfluxDB Clustered general availability

InfluxDB Clustered is now generally available and gives you the power of InfluxDB v3 in your self-managed stack.

Talk to us about InfluxDB Clustered