UCC: TLS Configuration#
This guide covers enabling TLS encryption for inter-cluster cache communication between Cloud Function clients and the USD Content Cache (UCC) service.
1. Create the TLS Secret#
Create a Kubernetes TLS secret with your certificate and key:
kubectl create secret tls tls-secret \
--cert=tls.crt \
--key=tls.key \
--namespace ucc
Important
The internal service URL MUST be included as a common name on the certificate.
For example, if your UCC installation name is ucc, the certificate should include
ucc.ucc.svc.cluster.local.
Self-Signed Certificate (Reference Only)#
For testing purposes only, you can create a self-signed certificate using OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=ucc.ucc.svc.cluster.local"
Warning
Self-signed certificates should NOT be used in production environments. Use certificates from a trusted Certificate Authority (CA) for production deployments.
2. Enable TLS in values.yaml#
After creating the TLS secret, enable TLS in your values.yaml file by adding the TLS
configuration under the tls section.
Add the following TLS configuration to your values.yaml:
tls:
# Enable TLS encryption for inter-cluster communication
enabled: true
# Name of the Kubernetes TLS secret created in step 1
secretName: tls-secret
The enabled: true setting activates TLS encryption for communication between Cloud Function
pods and UCC. The secretName references the Kubernetes secret created in step 1.
Important
This setting controls TLS between Cloud Function pods and UCC. It does not enable/disable TLS traffic between UCC and content sources (S3, Azure Blob, Nucleus). Backend connections to object storage always use HTTPS.
3. Complete Example Configuration#
Here is a complete example showing TLS configuration within a typical UCC values.yaml:
replicaCount: 3
image:
pullSecrets:
- name: ngc-container-pull
fullnameOverride: ucc
service:
ucc:
type: ClusterIP
port: 14128
containerPort: 14128
nucleus:
type: ClusterIP
port: 14129
containerPort: 14129
tls:
enabled: true
secretName: usd-content-cache-tls
persistence:
storageClassName: "gp3"
volumes:
- name: az
path: /proxy_cache_az
sizeGi: 50
minFreeSizePercentage: 7
- name: s3
path: /proxy_cache_s3
sizeGi: 50
minFreeSizePercentage: 7
- name: nucleus
path: /proxy_cache_nucleus
sizeGi: 50
minFreeSizePercentage: 7
nginx:
workerConnections: 1024
proxyCache:
validity:
"200": "1d"
"206": "1d"
paths:
- name: az
path: /proxy_cache_az/ucc_data
maxIdleTime: 1d
metadataMemorySize: 10m
- name: s3
path: /proxy_cache_s3/ucc_data
maxIdleTime: 1d
metadataMemorySize: 10m
- name: nucleus
path: /proxy_cache_nucleus/ucc_data
maxIdleTime: 1d
metadataMemorySize: 10m
sharedMemory:
limits:
presignedUrlCache: "1024m"
lockByRequestUriTable: "1024m"
backends:
azure:
include: true
allowCacheReset: false
serverName: ~^(?<container_name>[^\.]+)\.blob\.core\.windows\.net$
proxyCacheName: az
proxyPass: $scheme://$host
proxyAuthPass: $scheme://$host
cacheTtl: 30
s3:
include: true
allowCacheReset: false
serverName: ~^[^.]+\.s3\.[^.]+\.amazonaws\.com$
proxyCacheName: s3
proxyPass: $scheme://$host
proxyAuthPass: $scheme://$host
cacheTtl: 30
nucleus:
allowCacheReset: true
serverName: _
proxyCacheName: nucleus
proxyPass: $scheme://$host
proxyAuthPass: null
metrics:
prometheus:
enabled: true
port: 9145
serviceMonitor:
enabled: false
4. Apply Configuration Changes#
After updating your values.yaml file with TLS configuration, apply the changes using Helm:
helm upgrade ucc omniverse/usd-content-cache \
--namespace ucc \
-f values.yaml
If you are installing UCC for the first time with TLS enabled:
helm install ucc omniverse/usd-content-cache \
--namespace ucc \
-f values.yaml
5. Verify TLS Configuration#
After applying the configuration, verify that TLS is enabled:
# Check that the TLS secret is mounted in the pod
kubectl describe pod -n ucc -l app.kubernetes.io/instance=ucc | grep -A 5 "Mounts:"
# Verify the pod is running successfully
kubectl get pods -n ucc -l app.kubernetes.io/instance=ucc
# Check service endpoints
kubectl get svc -n ucc -l app.kubernetes.io/instance=ucc
The TLS secret should be mounted in the pod, and the pod should be running without errors. The service should be configured to use HTTPS on port 14128 when TLS is enabled.
Summary#
After enabling TLS, ensure that client applications are configured to use TLS when connecting to UCC.