Influxdata
/
docs-v2
mirror of https://github.com/influxdata/docs-v2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into jstirnaman/fix-vale

pull/5505/head
Jason Stirnaman 2024-07-10 12:13:34 -05:00 committed by GitHub
parent 129fee12b8 e061b51726
commit 33408c940d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
content/influxdb/clustered/install/configure-cluster.md
View File

@ -821,4 +821,57 @@ spec:
{{% /code-placeholders %}}
### Provide a custom certificate authority bundle {metadata="Optional"}
InfluxDB attempts to make TLS connections to the services it depends on; notably
the [Catalog](/influxdb/clustered/reference/internals/storage-engine/#catalog),
and the [Object store](/influxdb/clustered/reference/internals/storage-engine/#object-store).
InfluxDB validates the certificates for all of the connections it makes.
**If you host these services yourself and you use a private or otherwise not
well-known certificate authority to issue certificates to theses services**,
InfluxDB will not recognize the issuer and will be unable to validate the certificates.
To allow InfluxDB to validate these certificates, provide a PEM certificate
bundle containing your custom certificate authority chain.
1. Use `kubectl` to create a config map containing your PEM bundle.
Your certificate authority administrator should provide you with a
PEM-formatted certificate bundle file.
{{% note %}}
This PEM-formatted bundle file is *not* the certificate that InfluxDB uses to
host its own TLS endpoints. This bundle establishes a chain of trust for the
external services that InfluxDB depends on.
{{% /note %}}
In the example below, `private_ca.pem` is the certificate bundle file.
```sh
kubectl --namespace influxdb create configmap custom-ca --from-file=certs.pem=/path/to/private_ca.pem
```
{{% note %}}
It's possible to append multiple certificates into the same bundle.
This can help if you need to include intermediate certificates or explicitly
include leaf certificates. Leaf certificates should be included before any
intermediate certificates they depend on. The root certificate should
be last in the bundle.
{{% /note %}}
2. Update your `AppInstance` resource in your `myinfluxdb.yml` to refer to your
certificate authority config map. Update the `.spec.package.spec.egress`
property to refer to that config map. For example:
```yml
spec:
package:
spec:
egress:
customCertificates:
valueFrom:
configMapKeyRef:
key: ca.pem
name: custom-ca
```
{{< page-nav prev="/influxdb/clustered/install/auth/" prevText="Set up authentication" next="/influxdb/clustered/install/deploy/" nextText="Deploy your cluster" >}}