From 13849a0960fe9944ed75fb1ca15a73e4c359f630 Mon Sep 17 00:00:00 2001 From: Muhammad Raisul Islam Evan Date: Fri, 15 Nov 2024 01:50:13 +0600 Subject: [PATCH] Add TLS Overview Signed-off-by: Muhammad Raisul Islam Evan --- docs/guides/memcached/restart/restart.md | 8 +-- docs/guides/memcached/tls/_index.md | 10 ++++ docs/guides/memcached/tls/overview.md | 69 ++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 4 deletions(-) diff --git a/docs/guides/memcached/restart/restart.md b/docs/guides/memcached/restart/restart.md index d5d076bac8..9be572a343 100644 --- a/docs/guides/memcached/restart/restart.md +++ b/docs/guides/memcached/restart/restart.md @@ -166,8 +166,8 @@ kubectl delete ns demo ## Next Steps -- Monitor your Memcached database with KubeDB using [built-in Prometheus](/docs/guides/memcached/monitoring/using-builtin-prometheus.md). -- Monitor your MemcachedQL database with KubeDB using [Prometheus operator](/docs/guides/Memcached/monitoring/using-prometheus-operator.md). -- Detail concepts of [Memcached object](/docs/guides/Memcached/concepts/Memcached.md). -- Use [private Docker registry](/docs/guides/Memcached/private-registry/using-private-registry.md) to deploy MemcachedQL with KubeDB. +- Monitor your Memcached database with KubeDB using [Built-in Prometheus](/docs/guides/memcached/monitoring/using-builtin-prometheus.md). +- Monitor your Memcached database with KubeDB using [Prometheus Operator](/docs/guides/memcached/monitoring/using-prometheus-operator.md). +- Detail concepts of [Memcached](/docs/guides/memcached/concepts/memcached.md). +- Use [private Docker registry](/docs/guides/memcached/private-registry/using-private-registry.md) to deploy Memcached with KubeDB. - Want to hack on KubeDB? Check our [contribution guidelines](/docs/CONTRIBUTING.md). diff --git a/docs/guides/memcached/tls/_index.md b/docs/guides/memcached/tls/_index.md index e69de29bb2..83882bc4aa 100644 --- a/docs/guides/memcached/tls/_index.md +++ b/docs/guides/memcached/tls/_index.md @@ -0,0 +1,10 @@ +--- +title: Run Memcached with TLS +menu: + docs_{{ .version }}: + identifier: mc-tls + name: TLS/SSL Encryption + parent: mc-memcached-guides + weight: 45 +menu_name: docs_{{ .version }} +--- diff --git a/docs/guides/memcached/tls/overview.md b/docs/guides/memcached/tls/overview.md index e69de29bb2..485402db16 100644 --- a/docs/guides/memcached/tls/overview.md +++ b/docs/guides/memcached/tls/overview.md @@ -0,0 +1,69 @@ +--- +title: Memcached TLS/SSL Encryption Overview +menu: + docs_{{ .version }}: + identifier: mc-tls-overview + name: Overview + parent: mc-tls + weight: 10 +menu_name: docs_{{ .version }} +section_menu_id: guides +--- + +> New to KubeDB? Please start [here](/docs/README.md). + +# Memcached TLS/SSL Encryption + +**Prerequisite :** To configure TLS/SSL in `Memcached`, `KubeDB` uses `cert-manager` to issue certificates. So first you have to make sure that the cluster has `cert-manager` installed. To install `cert-manager` in your cluster following steps [here](https://cert-manager.io/docs/installation/kubernetes/). + +To issue a certificate, the following crd of `cert-manager` is used: + +- `Issuer/ClusterIssuer`: Issuers, and ClusterIssuers represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request. You can learn more details [here](https://cert-manager.io/docs/concepts/issuer/). + +- `Certificate`: `cert-manager` has the concept of Certificates that define a desired x509 certificate which will be renewed and kept up to date. You can learn more details [here](https://cert-manager.io/docs/concepts/certificate/). + +**Memcached CRD Specification :** + +KubeDB uses following crd fields to enable SSL/TLS encryption in `Memcached`. + +- `spec:` + - `tls:` + - `issuerRef` + - `certificates` + +Read about the fields in details from [Memcached concept](/docs/guides/memcached/concepts/memcached.md), + +`KubeDB` uses the `issuer` or `clusterIssuer` referenced in the `tls.issuerRef` field, and the certificate specs provided in `tls.certificate` to generate certificate secrets using `Issuer/ClusterIssuers` specification. These certificates secrets including `ca.crt`, `tls.crt` and `tls.key` etc. are used to configure `Memcached` server, exporter etc. respectively. + +## How TLS/SSL configures in Memcached + +The following figure shows how `KubeDB` enterprise used to configure TLS/SSL in Memcached. Open the image in a new tab to see the enlarged version. + +
+Deploy Memcached with TLS/SSL +
Fig: Deploy Memcached with TLS/SSL
+
+ +Deploying Memcached with TLS/SSL configuration process consists of the following steps: + +1. At first, a user creates a `Issuer/ClusterIssuer` cr. + +2. Then the user creates a `Memcached` cr which refers to the `Issuer/ClusterIssuer` cr that the user created in the previous step. + +3. `KubeDB` Provisioner operator watches for the `Memcached` cr. + +4. When it finds one, it creates `Secret`, `Service`, etc. for the `Memcached` database. + +5. `KubeDB` Ops-manager operator watches for `Memcached`(5c), `Issuer/ClusterIssuer`(5b), `Secret` and `Service`(5a). + +6. When it finds all the resources(`Memcached`, `Issuer/ClusterIssuer`, `Secret`, `Service`), it creates `Certificates` by using `tls.issuerRef` and `tls.certificates` field specification from `Memcached` cr. + +7. `cert-manager` watches for certificates. + +8. When it finds one, it creates certificate secrets `tls-secrets`(server, client, exporter secrets etc.) that holds the actual certificate signed by the CA. + +9. `KubeDB` Provisioner operator watches for the Certificate secrets `tls-secrets`. + +10. When it finds all the tls-secret, it creates the related `PetSets` so that Memcached database can be configured with TLS/SSL. + +In the next doc, we are going to show a step-by-step guide on how to configure a `Memcached` database with TLS/SSL. \ No newline at end of file