TLS Certificates for Aerospike on Kubernetes
To set up a TLS-enabled Aerospike cluster, first use kubectl to create a Kubernetes Secret which contains the TLS certificates and key. For example, the command create a Secret from the contents of the config/samples/secrets
folder is:
kubectl create secret generic aerospike-secret --from-file=config/samples/secrets -n aerospike
See the Aerospike documentation for more details on Aerospike TLS configuration.
Next, add the TLS-specific configuration to the Aerospike cluster's CR file.
storage:
filesystemVolumePolicy:
cascadeDelete: true
initMethod: deleteFiles
volumes:
- name: workdir
aerospike:
path: /opt/aerospike
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 1Gi
- name: ns
aerospike:
path: /opt/aerospike/data
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 3Gi
- name: aerospike-config-secret
source:
secret:
secretName: aerospike-secret
aerospike:
path: /etc/aerospike/secret
aerospikeConfig:
service:
feature-key-file: /etc/aerospike/secret/features.conf
security: {}
network:
service:
tls-name: aerospike-a-0.test-runner
tls-authenticate-client: any
tls-port: 4333
heartbeat:
tls-name: aerospike-a-0.test-runner
tls-port: 3012
fabric:
tls-name: aerospike-a-0.test-runner
tls-port: 3011
tls:
- name: aerospike-a-0.test-runner
cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
key-file: /etc/aerospike/secret/svc_key.pem
ca-file: /etc/aerospike/secret/cacert.pem
For the full CR file, see the example TLS cluster CR.
This and other example CRs are stored in the main Aerospike Kubernetes Operator repository.
Save and exit the file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Rotate TLS Certs
To change the TLS certificate, first update the TLS file(s) which contain the certificates and keys. Use the same filename(s) you originally added to the secrets
folder.
Then update the Secret from that folder with the command:
kubectl create secret generic aerospike-secret --from-file=. -n aerospike --dry-run=client -o yaml | kubectl apply -f -
Kubernetes automatically syncs Secrets and config maps on the pods at regular intervals as described here in the official Kubernetes documentation. After Kubernetes syncs the Secret onto the pod, Aerospike Server will pick up the new TLS certificates and use them for newer connections created from that point on.