DDCS: TLS Configuration#
This guide covers enabling TLS encryption for inter-cluster cache communication.
1. Create the TLS Secret#
Create a Kubernetes TLS secret with your certificate and key:
kubectl create secret tls tls-secret \
--cert=tls.crt \
--key=tls.key \
--namespace ddcs
Important
The internal service URL MUST be included as a common name on the certificate.
For example, if your DDCS installation name is ddcs, the certificate should include
ddcs.ddcs.svc.cluster.local as a common name.
Self-Signed Certificate (Reference Only)#
For testing purposes only, you can create a self-signed certificate using OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=ddcs.ddcs.svc.cluster.local"
Warning
Self-signed certificates should NOT be used in production environments. Use certificates from a trusted Certificate Authority (CA) for production deployments.
2. Enable TLS in values.yaml#
After creating the TLS secret, enable TLS in your values.yaml file by adding the TLS
configuration under the cluster.container.settings.grpc section.
Add the following TLS configuration to your values.yaml:
cluster:
container:
settings:
grpc:
tls:
# Enable TLS encryption
enabled: true
# Name of the Kubernetes TLS secret created in step 1
secretName: tls-secret
# Certificate path within the pod (default)
cert: "/tls/tls.crt"
# Private key path within the pod (default)
key: "/tls/tls.key"
The TLS configuration is placed within the gRPC settings section, as DDCS uses gRPC for
communication. The enabled: true setting activates TLS encryption, and secretName
references the Kubernetes secret created in step 1.
3. Optional: Configure CA Root Certificate#
If your deployment requires a custom CA root certificate for validation, you can include it in the TLS configuration:
cluster:
container:
settings:
grpc:
tls:
enabled: true
secretName: tls-secret
cert: "/tls/tls.crt"
key: "/tls/tls.key"
# Enable CA root certificate validation
includeCaRoot: true
# Path to the CA root certificate file
caRoot: "/cert/path/ca.pem"
Note
The includeCaRoot and caRoot options are optional and typically only needed
for custom CA configurations or mutual TLS (mTLS) scenarios.
4. Complete Example Configuration#
Here is a complete example showing TLS configuration within a typical DDCS values.yaml:
image:
pullSecrets:
- name: ngc-container-pull
cluster:
replicas: 1
container:
resources:
#limits:
# memory: 32Gi
requests:
memory: 32Gi
storage:
volume:
size: 330Gi
storageClassName: "gp3"
settings:
storageLimit: 300G
engine:
sys.cache_size: "10G"
sys.block_cache_size: "18G"
cf.max_write_buffer_number: 128
grpc:
tls:
enabled: true
secretName: ddcs-tls
cert: "/tls/tls.crt"
key: "/tls/tls.key"
monitoring:
enabled: false
5. Apply Configuration Changes#
After updating your values.yaml file with TLS configuration, apply the changes using Helm:
helm upgrade ddcs omniverse/ddcs \
--namespace ddcs \
-f values.yaml
If you are installing DDCS for the first time with TLS enabled:
helm install ddcs omniverse/ddcs \
--namespace ddcs \
-f values.yaml
6. Verify TLS Configuration#
After applying the configuration, verify that TLS is enabled:
# Check that the TLS secret is mounted in the pod
kubectl describe pod -n ddcs -l app.kubernetes.io/instance=ddcs | grep -A 5 "Mounts:"
# Verify the pod is running successfully
kubectl get pods -n ddcs -l app.kubernetes.io/instance=ddcs
The TLS secret will be mounted at /tls within the pod, and the pod should be running
without errors.
Summary#
For deployment instructions, refer to the DDCS: Deployment guide. For general configuration options, refer to the DDCS: Configure guide.