Cloudera Docs

Channel encryption (TLS) in Cloudera Surveyor for Apache Kafka

Get started with TLS encryption in Cloudera Surveyor. Learn which types of traffic can be secured using TLS, along with the available configuration properties and certificate management practices.

You can protect sensitive data and ensure secure access by configuring TLS for Cloudera Surveyor. TLS can be configured for the following types of traffic.

  • TLS for internal (backend) traffic – Secures traffic between the external access point (LoadBalancer or Ingress) and Cloudera Surveyor. Internal TLS ensures that even internal traffic within the Kubernetes cluster remains encrypted, protecting against potential threats inside the cluster network.

  • TLS for client traffic – Secures connections from end users (clients) to the Cloudera Surveyor UI. Configured on the Kubernetes Service that provides external access (LoadBalancer or Ingress). Ensures that all data exchanged with clients connecting from the outside world are encrypted.

  • TLS for LDAP traffic – Secures connections between Cloudera Surveyor and your LDAP authentication provider. Typically, you set this up when you configure LDAP authentication.

Cloudera recommends that you enable TLS for all of the above listed categories. This ensures that all traffic handled by Cloudera Surveyor is secure.

Configuring TLS channel encryption

Configure TLS with TLS-related properties in your custom values file. TLS for internal, client, and LDAP traffic is configured separately.

TLS for internal traffic

TLS for internal traffic is configured with the tlsConfigs.* properties. For example:

tlsConfigs:
  enabled: true
  secretRef: "[***TLS SECRET NAME***]"

  • tlsConfigs.enabled – Enables or disables TLS

  • tlsConfigs.secretRef – The name of the Kubernetes Secret containing the TLS certificate and private key. This Secret must be created in advance or managed by cert-manager.

TLS for client traffic

TLS for client traffic is configured on the Service (Ingress or LoadBalancer) that provides access to Cloudera Surveyor.

For Ingress, you configure ingress.tls.* properties. For example:

#...
ingress:
  enabled: true
  protocol: "HTTPS"
  className: "nginx"
  rules:
    host: my-domain.example
    port: 443
  tls:
    enabled: true
    issuer: "[***ISSUER NAME***]"
    secretRef: "[***INGRESS TLS CERT SECRET***]"

TLS for Ingress is typically configured when you set up external access with Ingress. For a step-by-step guide see Configuring external access with Ingress.

For LoadBalancers, the actual load balancer is provisioned and managed by your cloud or infrastructure provider. As a result, TLS settings and certificate management may vary depending on the platform. Refer to vendor-specific documentation for detailed guidance on configuring TLS.

TLS for LDAP traffic

TLS for LDAP traffic is configured using globalTruststore.* properties. These properties specify a Secret that contains a truststore with the TLS certificate of the root Certificate Authority (CA) of the LDAP certificate chain as well as a password to access the truststore. You typically configure these properties when you set up LDAP. For a step-by-step guide, see Configuring LDAP authentication

Managing certificates

Learn about managing TLS certificates in Cloudera Surveyor. You can manage certificates manually or use cert-manager to automate certificate management. Cloudera recommends automatic certificate management.

Cloudera Surveyor stores its TLS certificates in Secrets. The Secrets are specified by the following two properties.

  • tlsConfigs.secretRef – Specifies the name of the Secret containing the TLS certificate used for internal TLS traffic.

  • ingress.tls.secretRef – Specifies the name of the Secret containing the TLS certificate used by the Ingress to secure incoming client communications.

Both Secrets must contain a valid certificate and private key. Cloudera recommends that you use cert-manager to manage the Secrets and the certificates that they store. Alternatively, you can choose to manage them manually.

Automatic certificate management with cert-manager

cert-manager is a popular Kubernetes add-on for automating the management and issuance of TLS certificates. In order to manage the certificates used by Cloudera Surveyor with cert-manager you need the following.

  • A cert-manager instance in your Kubernetes cluster.

  • An Issuer deployed for cert-manager.

The management of the two Secrets that Cloudera Surveyor uses to store certificates differs.

  • tlsConfigs.secretRef – The Certificate resource for this Secret must be created manually. When creating a Certificate resource, set spec.secretName to the same value as tlsConfigs.secretRef. This way cert-manager saves the certificate and private key to the Secret that Cloudera Surveyor uses.

  • ingress.tls.secretRef – The Certificate resource for this Secret is created automatically when ingress.tls.issuer is also configured. Specifically, the Ingress requests a certificate from cert-manager using the configured Issuer. This triggers the creation of the Certificate resource and saves the certificate file and private key to the Secret defined in ingress.tls.secretRef.

Manual certificate management

When managing certificates manually, you must create the Secrets that contain the certificates and private keys manually. Ensure that you create and update the appropriate Secrets which are specified in tlsConfigs.secretRef and ingress.tls.secretRef.