Set up TLS in your InfluxDB cluster
Set up TLS in your InfluxDB cluster to ensure both incoming and outgoing data is encrypted and secure. We recommend using TLS to encrypt communication for the following:
- Ingress to your cluster
- Connection to your Object store
- Connection to your Catalog (PostgreSQL-compatible) database
If using self-signed certs, provide a custom certificate authority (CA) bundle.
- Set up ingress TLS
- Require HTTPS on the object store
- Require TLS on your catalog database
- Provide a custom certificate authority bundle
- Apply the changes to your cluster
Set up ingress TLS
Kubernetes support many different ingress controllers, some of which provide simple mechanisms for creating and managing TLS certificates. If using the InfluxDB-defined ingress and the Nginx Ingress Controller, add a valid TLS Certificate to the cluster as a secret. Provide the paths to the TLS certificate file and key file:
kubectl create secret tls ingress-tls \
--namespace influxdb \
--cert TLS_CERT_PATH \
--key TLS_KEY_PATH
Replace the following:
TLS_CERT_PATH
: Path to the certificate file on your local machine.TLS_KEY_PATH
: Path to the certificate secret key file on your local machine.
Provide the TLS certificate secret to the InfluxDB configuration in the Configure ingress step.
Configure ingress
Update your AppInstance
resource to reference the secret that
contains your TLS certificate and key.
The examples below use the name ingress-tls
.
- If modifying the
AppInstance
resource directly, reference the TLS secret in thespec.package.spec.ingress.tlsSecretName
property. - If using the InfluxDB Clustered Helm chart, reference the TLS secret in
the
ingress.tlsSecretName
property in yourvalues.yaml
.
The tlsSecretName
field is optional. You may want to use it if you already have a TLS certificate for your DNS name.
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
# ...
ingress:
hosts:
- cluster-host.com
tlsSecretName: ingress-tls
ingress:
hosts:
- cluster-host.com
tlsSecretName: ingress-tls
Require HTTPS on the object store
Some object store providers allow unsecure connections when accessing the object store. Refer to your object store provider’s documentation for information about installing TLS certificates and ensuring all connections are secure.
If using AWS S3 or an S3-compatible object store, set following property
in your AppInstance
resources to false
to disallow unsecure connections to
your object store:
- If modifying the
AppIsntance
resource directly:
spec.package.spec.objectStore.s3.allowHttp
- If using the InfluxDB Clustered Helm chart:
objectStore.s3.allowHttp
in yourvalues.yaml
apiVersion: kubecfg.dev/v1alpha1
kind: AppInstance
# ...
spec:
package:
spec:
objectStore:
s3:
# ...
allowHttp: 'false'
objectStore:
s3:
# ...
allowHttp: 'false'
Require TLS on your catalog database
Refer to your PostreSQL-compatible database provider’s documentation for installing TLS certificates and ensuring secure connections.
If currently using an unsecure connection to your Catalog database, update your
Catalog data source name (DSN) to remove the sslmode=disable
query parameter:
postgres://username:passw0rd@mydomain:5432/influxdb?sslmode=disable
Provide a custom certificate authority bundle
InfluxDB attempts to make TLS connections to the services it depends on–notably, the Catalog and the Object store. InfluxDB validates certificates for all connections.
If you host dependent services yourself and you use a private or otherwise not
well-known certificate authority to issue certificates to them,
InfluxDB won’t recognize the issuer and can’t validate the certificates.
To allow InfluxDB to validate the certificates from your custom CA,
configure the AppInstance
resource to use a PEM certificate
bundle that contains your custom certificate authority chain.
-
Use
kubectl
to create a config map that contains your PEM-formatted certificate bundle file. Your certificate authority administrator should provide you with a PEM-formatted bundle file.This PEM bundle file establishes a chain of trust for the external services that InfluxDB depends on. It’s not the certificate that InfluxDB uses to host its own TLS endpoints.
In the example, replace
/path/to/private_ca.pem
with the path to your PEM-formatted certificate bundle file:kubectl --namespace influxdb create configmap custom-ca --from-file=certs.pem=/path/to/private_ca.pem
Bundle multiple certificates
You can append multiple certificates into the same bundle. This approach helps when you need to include intermediate certificates or explicitly include leaf certificates.
Include certificates in the bundle in the following order:
- Leaf certificates
- Intermediate certificates required by leaf certificates
- Root certificate
-
Update your
AppInstance
resource to refer to thecustom-ca
config map.- If modifying the
AppInstance
resource directly:
Add the config map to the.spec.package.spec.egress
property. - If using the InfluxDB Clustered Helm chart:
SetuseCustomEgress
totrue
and update theegress
property to refer to the config map.
apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: egress: customCertificates: valueFrom: configMapKeyRef: key: ca.pem name: custom-ca
useCustomEgress: true egress: customCertificates: valueFrom: configMapKeyRef: key: ca.pem name: custom-ca
- If modifying the
Apply the changes to your cluster
Use kubectl
or helm
(if using the InfluxDB Clustered Helm chart), to apply
the configuration changes to your cluster:
kubectl apply \
--filename myinfluxdb.yml \
--namespace influxdb
helm upgrade \
influxdata/influxdb3-clustered \
-f ./values.yml \
--namespace influxdb
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.