tls.gateway and tls.engine each enable TLS independently, provisioned the same way as auth.signingKeys (see Authentication): an existing kubernetes.io/tls Secret, or a chart-rendered cert-manager Certificate.
tls.gatewayterminates TLS on the gateway’s client-facing listener (client → gateway).tls.engineenables TLS on the engine’s query listener and, correspondingly, the gateway’s connection to engines — including the active engine health check, which runs over the same connection.
Values
tls.engine’s Secret requires all three keys — tls.crt, tls.key, and ca.crt — even for a self-signed certificate with no separate CA (set ca.crt to a copy of tls.crt in that case). The engine’s own internal health check and the gateway’s upstream connection both need the issuing CA to validate the certificate independently of tls.crt.The certificate’s SANs must also cover every engine node’s per-node hostname (<release>-engine-<engine>-node-<i>-0.<release>-engine-<engine>-hl.<namespace>.svc.cluster.local) and each engine’s headless-service hostname (<release>-engine-<engine>-hl.<namespace>.svc.cluster.local) — both the engine’s self-health-check and the gateway’s auto_san_validation verify against these names. A missing SAN leaves the affected engine node permanently NotReady with no other symptom. tls.engine.certManager derives these automatically; a BYO certificate has to include them explicitly.Install
cert-manager as a certificate source
dnsNames under tls.engine.certManager. The gateway’s certificate has no such derivation; set dnsNames to whatever hostname clients use to reach the gateway.
The issuer behind
tls.engine.certManager must populate ca.crt in the Certificate’s Secret, not just tls.crt/tls.key. CA and Vault issuers do this; a bare self-signed or ACME issuer may not. The chart’s tls-chain-setup init container needs ca.crt to build the engine’s own health-check trust bundle and fails the pod at startup if it’s missing.Caveats
- The
core-uisidecar (engineSpec.uiSidecar) followstls.engine.enabledautomatically, proxying to the engine over HTTPS without verifying its certificate — the connection is over loopback within the pod, so this doesn’t need a trusted CA. - cert-manager and its CRDs must already be installed in the cluster before
certManagerblocks are set on any value; the chart’sCertificateresources otherwise fail to apply.
See also
- Authentication: enabling engine authentication and JWT signing key rotation.
- Security model: pod-hardening baseline and secrets handling across the whole chart.