Skip to main content

MarkLogic Server on Kubernetes

Configure a MarkLogic cluster with a standard certificate

To configure a MarkLogic cluster with a standard certificate, follow these steps:

  1. Obtain a certificate with a common name matching the hostname of the MarkLogic host.  The certificate must be signed by a trusted Certificate Authority (CA). Either a publicly rooted CA or a private CA can be used. This example uses a private CA and a 2-node cluster.

  2. Use this script to generate a self-signed CA certificate with openSSL. The script will create ca-private-key.pem as the CA key and cacert.pem as the private CA certificate:

    # Generate private key for CA
    openssl genrsa -out ca-private-key.pem 2048
     
    # Generate the self-signed CA certificate
    openssl req -new -x509 -days 3650 -key ca-private-key.pem -out cacert.pem
  3. Use the script below to generate a private key and CSR for the marklogic-0 pod.  After running the script, tls.key is generated as a private key and a host certificate for the marklogic-0 pod.

    Note

    The filename for the private key must be tls.key and the filename for host certificate must be tls.crt.

    • If the release name is "marklogic", then the host name for the marklogic-0 pod will be "marklogic-0.marklogic.default.svc.cluster.local".

    • The host name for the marklogic-1 pod will be "marklogic-1.marklogic.default.svc.cluster.local".

    # Create private key
    openssl genpkey -algorithm RSA -out tls.key
     
    # Create CSR for marklogic-0
    # Use marklogic-0.marklogic.default.svc.cluster.local as Common Name(CN) for CSR
    openssl req -new -key tls.key -out tls.csr
     
    # Sign CSR with private CA
    openssl x509 -req -CA cacert.pem -CAkey ca-private-key.pem -in tls.csr -out tls.crt -days 365
  4. Use this script below to generate secrets for the host certificate and the CA certificate. Repeat these steps to generate the certificate for the marklogic-1 host and create the secret marklogic-1-cert . After running the script,  secrets are created for marklogic-0 and marklogic-1. One secret is also created for the private CA certificate.

    # Generate Secret for marklogic-0 host certificate
    kubectl create secret generic marklogic-0-cert --from-file=tls.crt --from-file=tls.key
     
    # Generate Secret for private CA certificate
    kubectl create secret generic ca-cert --from-file=cacert.pem
  5. Once the certificate is created within Kubernetes secrets, add the following section to the values.yaml file and follow the instructions outlined in Install the chart.

    tls:
      enableOnDefaultAppServers: true
      certSecretNames:
        - "marklogic-0-cert"
        - "marklogic-1-cert" 
      caSecretName: "ca-cert"