Pod-to-pod mTLS
Mutual Transport Layer Security (mTLS) can be used to secure inter-pod traffic within the Instabase cluster.
Unsupported ports
The following ports, primarily used for metrics scraping, are not encrypted even when pod-to-pod mTLS is enabled (as of release 23.04).
| Service Name | Port Name | Port Number |
|---|---|---|
| service-alertmanager | http | 29093 |
| service-api-server | stats | 29080 |
| service-apps-server | stats | 29080 |
| service-celery-app-tasks | stats-port | 29080 |
| service-celery-core-tasks | stats-port | 29080 |
| service-celery-webdriver-tasks | stats-port | 29080 |
| service-control-plane | stats | 29080 |
| service-core-platform-service | stats | 29080 |
| service-grpc-file-service | stats-grpc-port | 29081 |
| service-jaeger | jaeger-metrics | 24269 |
| service-job-service | stats | 29080 |
| service-kube-state-metrics | http | 28080 |
| service-license-service | stats | 29080 |
| service-loki-read | http | 23101 |
| service-loki-write | http | 23100 |
| service-model-service | stats-port | 29080 |
| service-model-training-tasks-gpu | stats-port | 29080 |
| service-opensearch | stats | 39114 |
| service-rabbitmq | stats | 25692 |
| service-ray-head | stats-port | 29080 |
| service-ray-model-training-worker | stats-port | 29080 |
| service-redis | stats | 29121 |
| service-redis-file-service | stats | 59121 |
| service-redis-persistent | stats | 19121 |
| service-search-tservice | stats | 29080 |
| service-victoriametrics | http | 28428 |
| service-webapp | stats | 29080 |
Enabling pod to pod mTLS
To enable pod-to-pod mTLS in your Instabase cluster:
- Create a Kubernetes secret called
mesh-manager-tlsthat contains your key and certificates used for mTLS. See the following example:
apiVersion: v1
kind: Secret
metadata:
name: mesh-manager-tls
namespace: ${ib.namespace}
type: kubernetes.io/tls
data:
ca.crt: {{CA certificate}}
tls.key: {{TLS key}}
tls.crt: {{TLS certificate}}
-
Make the following changes to the
mesh-manager-configConfigMap:-
Set the
mtls>enabledvalue totrue. -
Increase the version number by one. For example, if the current version number is
25, set the new version to26. This enables the service mesh to pick up the key and certificates created in the previous step. -
Set
trust_domainto match the domain/subdomain covered by yourtls.crt. For example, if your certificate covers the domain*.instabase.com, then set yourtrust_domainvalue toinstabase.com.
-
See the following example:
apiVersion: v1
kind: ConfigMap
metadata:
name: mesh-manager-config
namespace: ${ib.namespace}
data:
config.yaml: |-
version: {n+1}
mtls:
enabled: true
trust_domain: instabase.com
...
...