Using SSL Certs with the Atlas Operator
Many modern databases support SSL/TLS encryption for secure communication between clients and the database. In this document we provide some basic guidance on how to use SSL/TLS certificates with the Atlas Operator on Kubernetes.
Step 1: Create a Secret for the SSL/TLS Certificates
The first step is to create a Kubernetes Secret that contains the SSL/TLS certificates. If you are using a Kubernetes Operator that supports automatically creating certificates such as the CockroachDB Operator, you can use the certificates created by that Operator.
Here is an example of how to create a Secret with SSL/TLS certificates:
kubectl create secret generic my-secret \
--from-file=ca.crt=./path/to/ca.crt \
--from-file=tls.key=./path/to/tls.key \
--from-file=tls.crt=./path/to/tls.crt
This will create a Secret named my-secret with the SSL/TLS certificates.
Step 2: Mount the Certificates into the Atlas Operator
The next step is to mount the SSL/TLS certificates into the Atlas Operator. To do this, by create
a file named values.yaml with the following content:
extraVolumes:
- name: certs
secret:
secretName: my-secret
defaultMode: 0640
extraVolumeMounts:
- name: certs
mountPath: /certs
readOnly: true
Now, install the operator using this values.yaml file:
helm install atlas-operator oci://ghcr.io/ariga/charts/atlas-operator -f values.yaml
This will install the Atlas Operator, overriding the extraVolumes and extraVolumeMounts values to mount the
SSL/TLS certificates into the Operator.
Step 3: Use the Certificates in the Database URL
The final step is to use the SSL/TLS certificates in the database URL. For example, if you are using the PostgreSQL or CockroachDB databases, you can use the following database URL:
postgresql://username@hostname:port/database?sslmode=verify-full&sslcert=/certs/tls.crt&sslkey=/certs/tls.key&sslrootcert=/certs/ca.crt
To learn more about how to securely provide the database URL to the operator, see the docs.