TLS Certificates for Aerospike on Kubernetes
To set up a TLS-enabled Aerospike cluster, first use kubectl to create a Kubernetes Secret containing the TLS certificates and key.
For example, the command to create a Secret from the contents of the config/samples/secrets
folder is:
kubectl create secret generic aerospike-secret --from-file=config/samples/secrets -n aerospike
See the Aerospike documentation for more details on Aerospike TLS configuration.
Next, add the TLS-specific configuration to the Aerospike cluster's CR file.
storage:
filesystemVolumePolicy:
cascadeDelete: true
initMethod: deleteFiles
volumes:
- name: workdir
aerospike:
path: /opt/aerospike
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 1Gi
- name: ns
aerospike:
path: /opt/aerospike/data
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 3Gi
- name: aerospike-config-secret
source:
secret:
secretName: aerospike-secret
aerospike:
path: /etc/aerospike/secret
aerospikeConfig:
service:
feature-key-file: /etc/aerospike/secret/features.conf
security: {}
network:
service:
tls-name: aerospike-a-0.test-runner
tls-authenticate-client: any
tls-port: 4333
heartbeat:
tls-name: aerospike-a-0.test-runner
tls-port: 3012
fabric:
tls-name: aerospike-a-0.test-runner
tls-port: 3011
tls:
- name: aerospike-a-0.test-runner
cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
key-file: /etc/aerospike/secret/svc_key.pem
ca-file: /etc/aerospike/secret/cacert.pem
For the full CR file, see the example TLS cluster CR.
This and other example CRs are stored in the main Aerospike Kubernetes Operator repository.
Save and exit the file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Rotate TLS certificates
To change the TLS certificate:
Update the TLS file(s) that contain the certificates and keys. Use the same filename(s) you originally added to the
secrets
folder.Update the Secret from that folder with the command:
kubectl create secret generic aerospike-secret --from-file=. -n aerospike --dry-run=client -o yaml | kubectl apply -f -
Kubernetes automatically syncs Secrets and config maps on the pods at regular intervals as described here in the official Kubernetes documentation. After Kubernetes syncs the Secret with the pod, Aerospike Server picks up the new TLS certificates and uses them for newer connections created from that point on.