New to KubeDB? Please start here.

Reconfiguring TLS for Qdrant

This guide will give an overview of how KubeDB Ops-manager reconfigures TLS for a Qdrant database.

QdrantOpsRequest CRD Specification:

KubeDB uses the following CRD fields to reconfigure TLS/SSL in Qdrant.

spec:
- type: ReconfigureTLS
- tls:
  - issuerRef
  - certificates
  - client
  - p2p
  - rotateCertificates
  - remove

Read about the fields in detail from the QdrantOpsRequest Concepts page.

Before You Begin

You should be familiar with the following KubeDB concepts:
Use the example files from docs/examples/qdrant/quickstart/distributed.yaml and docs/examples/qdrant/reconfigure-tls/.

kubectl create ns demo

Deploy Qdrant

kubectl apply -f https://github.com/kubedb/docs/raw/v2026.4.27/docs/examples/qdrant/quickstart/distributed.yaml
kubectl get qdrant -n demo qdrant-sample -w

How Reconfigure TLS Works

The following figure shows how KubeDB reconfigures TLS in Qdrant. Open the image in a new tab to see the enlarged version.

The Reconfigure TLS process consists of the following steps:

At first, a user creates a Qdrant CR.
KubeDB-Provisioner operator watches the Qdrant CR.
When the operator finds a Qdrant CR, it creates a PetSet and related necessary resources like secrets, services, etc.
Then, in order to reconfigure TLS of the Qdrant database, the user creates a QdrantOpsRequest CR specifying the desired TLS configuration. The user can add TLS to an existing non-TLS database, rotate the existing certificates, change the issuer, or remove TLS entirely.
KubeDB Ops-manager operator watches the QdrantOpsRequest CR.
When it finds a QdrantOpsRequest CR, it pauses the Qdrant object so that the KubeDB-Provisioner operator doesn’t perform any operations on the Qdrant during the TLS reconfiguration process.
Then the KubeDB Ops-manager operator updates the TLS secrets and restarts the pods in a rolling fashion with the new TLS configuration.
After the successful TLS reconfiguration, the KubeDB Ops-manager updates the Qdrant object to reflect the updated TLS state.
After the successful Reconfigure TLS, the KubeDB Ops-manager resumes the Qdrant object so that the KubeDB-Provisioner resumes its usual operations.

KubeDB supports the following TLS reconfiguration operations for Qdrant:

Add TLS — Enable TLS on an existing non-TLS Qdrant database.
Rotate TLS — Rotate the existing TLS certificates to refresh expiring certificates.
Remove TLS — Remove TLS from an existing TLS-enabled Qdrant database.

In the next doc, we are going to show a step-by-step guide on reconfiguring TLS for a Qdrant database using QdrantOpsRequest CRD.

KubeDB Operator

KubeDB Platform

Internal DBaaS for platform teams

Automate database operations with GitOps

Multi-tenant database infrastructure

White-labeled DBaaS offering

Run DBaaS in secure, offline clusters

IBM DB2

MariaDB

Microsoft SQL Server

MySQL

Oracle

Percona XtraDB

PostgreSQL

SAP HanaDB

Cassandra

DocumentDB

MongoDB

Hazelcast

Ignite

Memcached

Redis

Valkey

Elasticsearch

OpenSearch

Solr

Kafka

RabbitMQ

ClickHouse

Druid

SingleStore

Milvus

Qdrant

Weaviate

Neo4j

PgBouncer

Pgpool

ProxySQL

ZooKeeper

Amazon EKS

Google GKE

Microsoft AKS

Red Hat OpenShift

SUSE Rancher

Nutanix Kubernetes Platform

Mirantis Kubernetes Engine

VMware vSphere Kubernetes Service

Alliance Partners

Channel Partners

Managed Service Providers

Operator Documentation

Platform Documentation

Orange Telecom powers its digital future with KubeDB

10× lower costs. 2× faster performance. All with KubeDB.

White-label DBaaS live in 1 month — serving 20,000+ customers

Deploy Cassandra via Kubernetes Cassandra Operator

How to Deploy ClickHouse via Kubernetes ClickHouse Operator

Deploy Memcached using Kubernetes Memcached Operator

Blog

ClickHouse Ops Requests - Day 2 Lifecycle Management for ClickHouse Using KubeDB (Part-2)

Provision and Manage Milvus on Kubernetes using KubeDB

Provision and Manage Weaviate on Kubernetes using KubeDB

Provision and Manage Qdrant on Kubernetes using KubeDB

Videos