Configure a MarkLogic cluster with a standard certificate
To configure a MarkLogic cluster with a standard certificate, follow these steps:
Obtain a certificate with a common name matching the hostname of the MarkLogic host. The certificate must be signed by a trusted Certificate Authority (CA). Either a publicly rooted CA or a private CA can be used. This example uses a private CA and a 2-node cluster.
Use this script to generate a self-signed CA certificate with openSSL. The script will create
ca-private-key.pem
as the CA key andcacert.pem
as the private CA certificate:# Generate private key for CA openssl genrsa -out ca-private-key.pem 2048 # Generate the self-signed CA certificate openssl req -new -x509 -days 3650 -key ca-private-key.pem -out cacert.pem
Use the script below to generate a private key and CSR for the marklogic-0 pod. After running the script,
tls.key
is generated as a private key and a host certificate for the marklogic-0 pod.Note
The filename for the private key must be
tls.key
and the filename for host certificate must betls.crt
.If the release name is "marklogic", then the host name for the marklogic-0 pod will be "marklogic-0.marklogic.default.svc.cluster.local".
The host name for the marklogic-1 pod will be "marklogic-1.marklogic.default.svc.cluster.local".
# Create private key openssl genpkey -algorithm RSA -out tls.key # Create CSR for marklogic-0 # Use marklogic-0.marklogic.default.svc.cluster.local as Common Name(CN) for CSR openssl req -new -key tls.key -out tls.csr # Sign CSR with private CA openssl x509 -req -CA cacert.pem -CAkey ca-private-key.pem -in tls.csr -out tls.crt -days 365
Use this script below to generate secrets for the host certificate and the CA certificate. Repeat these steps to generate the certificate for the marklogic-1 host and create the secret
marklogic-1-cert
. After running the script, secrets are created for marklogic-0 and marklogic-1. One secret is also created for the private CA certificate.# Generate Secret for marklogic-0 host certificate kubectl create secret generic marklogic-0-cert --from-file=tls.crt --from-file=tls.key # Generate Secret for private CA certificate kubectl create secret generic ca-cert --from-file=cacert.pem
Once the certificate is created within Kubernetes secrets, add the following section to the
values.yaml
file and follow the instructions outlined in Install the chart.tls: enableOnDefaultAppServers: true certSecretNames: - "marklogic-0-cert" - "marklogic-1-cert" caSecretName: "ca-cert"