Skip to main content

Configuring TLS

Any listener in a LittleHorse Cluster can have TLS. The LittleHorse Operator allows you to configure TLS certificates in two ways:

  1. Providing a reference to a Kubernetes Secret with the TLS certificate in it.
  2. Providing a reference to a Cert Manager Issuer or ClusterIssuer to provision Certificates dynamically.

Adding TLS

To configure TLS for a specific listener, you can use the spec.server.listeners[].tls field.

Cert Manager

Once you have access to an Issuer or ClusterIssuer from Cert Manager, you can easily configure your LHCluster to use it for TLS as follows:

apiVersion: littlehorse.io/v1
kind: LHCluster
metadata:
  name: certmanager-example
  namespace: littlehorse
spec:
  server:
    listeners:
    - name: external-wildcard
      advertisedListeners:
        serverHostSuffix: ".test.littlehorse.cloud"
      port: 2443
      tls:
        issuerRef:
          kind: ClusterIssuer
          name: my-cluster-issuer
  # ...
note

The Issuer or ClusterIssuer should match the domain of all of the advertised hosts of your LH Cluser. For more information on configuring advertised hosts see the docs.

If your Issuer or ClusterIssuer is not a publicly-trusted issuer (eg. the ACME protocol used with LetsEncrypt), then you will need to configure your LH Clients to trust the CA Cert from the Issuer or ClusterIssuer.

Manual Secrets

First, you should create a Kubernetes Secret with the following keys:

  • tls.key with the private key
  • tls.crt with the public cert

Next, you should configure the spec.listeners[].tls.secretRef to point to that secret. An example is below.

apiVersion: littlehorse.io/v1
kind: LHCluster
metadata:
  name: tls-secret
  namespace: littlehorse
spec:
  server:
    listeners:
    - name: external-wildcard
      advertisedListeners:
        serverHostSuffix: ".test.littlehorse.cloud"
      port: 2443
      tls:
        secretRef:
          name: my-secret
  # ...