How to configure TLS with EKS fdb

how to configure TLS for EKS FDB ?
i have seen this link fdb-kubernetes-operator/tls.md at main · FoundationDB/fdb-kubernetes-operator · GitHub

a few questions:
where i need to add that block ? is that in my cluster.yaml ?
cert manager is already deployed in our EKS clusters
so how to make my FDB use the certs ?

First I want to mention that currently it is not straight forward to configure TLS using FDB K8s operator. If you want to contribute to improve the TLS configuration using FDB K8s Operator.There is an open issue Restructure TLS settings and handling in the operator.

where i need to add that block ? is that in my cluster.yaml ?

As pointed in the documentation in order to get TLS working you need to make your certificates available to several components:

• The fdb cluster configuration through the cluster.yaml. See tls.md#example-cluster-with-tls. This will allow cluster nodes to use tls connections to communicate.
• The fdb k8s operator in the operator manifest (typically samples/deployment.yaml). See tls.md#configuring-the-operator. This will allow FDB K8s operator to communicate with the TLS enabled cluster and the Sidecar (assuming your certificates are valid for the Pod IP).
• If you are using backup. The backup agents through backup.yaml see samples/backup.yaml This will allow the backup agents to use tls connections to the backup destination.
• And the fdb clients will also need to have their TLS certificates configured. This will allow the clients to connect to the TLS enabled FDB cluster.

cert manager is already deployed in our EKS clusters
so how to make my FDB use the certs ?

First you need to generate the certificates according to your needs.

This is an example cert-manager wildcard certificate for a namespace. Which could be used for testing purposes.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    component: operator
    environment: development
    service: foundationdb
    team: myteam
  name: fdb-certs
  namespace: mynamespace
spec:
  dnsNames:
  - '*.mynamespace'
  - '*.mynamespace.svc'
  - '*.mynamespace.svc.cluster.local'
  - '*.mynamespace.pod.cluster.local'
  duration: 24h
  issuerRef:
    kind: ClusterIssuer
    name: your-trusted-issuer
  privateKey:
    rotationPolicy: Always
  renewBefore: 1h
  secretName: fdb-certs

Then you can make them available to the FDB Cluster, Operator, Backup agents and FDB Clients using a volume to share the cert. Note the difference between the secretName which refers to the TLS certificate and the volume name. In the example they are both named fdb-certs.

The following excerpts from the documentation show how it is done:

            volumeMounts:
            - name: fdb-certs
              mountPath: /var/fdb-certs

          volumes:
          - name: fdb-certs
            secret:
              secretName: fdb-certs

Known issues

• FDB K8s Operator to Sidecar connections require certificates valid for the Pod IP. See tls.md#configuring-the-operator.

• If you plan to enable/disable TLS on existing clusters you should have a look at TLS disabling and enabling leads cluster to unavailability.

I hope that helps.