Self-managed installation and maintenance > Installation and configuration guide > Requirements overview > TLS requirements

TLS requirements¶

DataRobot strongly recommends securing all network traffic in your Kubernetes cluster using TLS. General cluster security best practices include:

Configure TLS for the Kubernetes control plane.
Install a CNI plugin (e.g., Cilium) or a Service Mesh (e.g., Istio) that provides TLS for all inter-pod traffic in the cluster.

Note

These cluster-level security measures are outside the scope of the DataRobot installation; they are the responsibility of your organization.

Issuers and certificates¶

For issuing and managing TLS certificates, DataRobot supports the following methods:

(Recommended) Automated issuance and management using cert-manager.
Manual management using a custom Certificate Authority (CA) issuer to sign TLS certificates.

There are several important reasons for using cert-manager, including:

It is a Cloud Native Computing Foundation (CNCF) member project and the industry standard for managing TLS within Kubernetes clusters.
It automatically issues, renews, and rotates TLS certificates within the cluster with zero downtime.
It supports many third-party issuers from Public CAs, as well as configurable Private CA issuers.
It is proven to securely automate certificate management at scale within DataRobot's multi-tenant and single-tenant SaaS environments.
It provides open-source Helm charts that are easy to install, with vendor support from Jetstack.
It provides Long Term Support (LTS) releases, commercial support, and FIPS-validated builds are available from Venafi if your organization prefers vendor support.

cert-manager requires cluster-level RBAC admin permissions to create cluster-level resources such as Custom Resource Definitions (CRDs) and ClusterRoles/ClusterRoleBindings. However, the certificates themselves are namespace-scoped and are managed without cluster-level permissions.

If you prefer to manage certificates manually instead of installing cert-manager, see the following for details:

Configuring TLS with a Custom CA issuer.

Trust bundles¶

For establishing trust via Certificate Authorities (CAs), DataRobot platform supports:

Public CA (recommended)
Private CA
Self-signed certificates (not recommended, with limitations)

Public CAs such as Let's Encrypt and Verisign are supported as issuers in cert-manager and are typically contained within the operating system's root trust store.

If your organization has its own Public Key Infrastructure (PKI) or uses a Private CA for signing TLS certificates, you can configure a Custom CA bundle. This bundle, containing all Public and Private CA root certificates, is mounted over the system trust store for all workloads in the platform. For more information, see:

Self-signed certificates¶

Using self-signed certificates for services within the cluster is not supported.

For a subset of external services (e.g., an object storage provider or a private container registry) that have been configured with self-signed certificates, you can configure the DataRobot platform to use TLS with these services, however, you must disable TLS verification.

For more information, see self-signed certificates.