Skip to main content
Loading
Version: Operator 3.3.0

TLS Certificates for Aerospike on Kubernetes

To set up a TLS-enabled Aerospike cluster, first use kubectl to create a Kubernetes Secret containing the TLS certificates and key. For example, the command to create a Secret from the contents of the config/samples/secrets folder is:

kubectl create secret generic aerospike-secret --from-file=config/samples/secrets -n aerospike

See the Aerospike documentation for more details on Aerospike TLS configuration.

Next, add the TLS-specific configuration to the Aerospike cluster's CR file.

  storage:
filesystemVolumePolicy:
cascadeDelete: true
initMethod: deleteFiles
volumes:
- name: workdir
aerospike:
path: /opt/aerospike
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 1Gi
- name: ns
aerospike:
path: /opt/aerospike/data
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 3Gi
- name: aerospike-config-secret
source:
secret:
secretName: aerospike-secret
aerospike:
path: /etc/aerospike/secret

aerospikeConfig:
service:
feature-key-file: /etc/aerospike/secret/features.conf
security: {}
network:
service:
tls-name: aerospike-a-0.test-runner
tls-authenticate-client: any
tls-port: 4333
heartbeat:
tls-name: aerospike-a-0.test-runner
tls-port: 3012
fabric:
tls-name: aerospike-a-0.test-runner
tls-port: 3011
tls:
- name: aerospike-a-0.test-runner
cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
key-file: /etc/aerospike/secret/svc_key.pem
ca-file: /etc/aerospike/secret/cacert.pem

For the full CR file, see the example TLS cluster CR.

This and other example CRs are stored in the main Aerospike Kubernetes Operator repository.

Save and exit the file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Rotate TLS certificates

To change the TLS certificate:

  1. Update the TLS file(s) that contain the certificates and keys. Use the same filename(s) you originally added to the secrets folder.

  2. Update the Secret from that folder with the command:

kubectl create secret generic aerospike-secret --from-file=. -n aerospike --dry-run=client -o yaml | kubectl apply -f -

Kubernetes automatically syncs Secrets and config maps on the pods at regular intervals as described here in the official Kubernetes documentation. After Kubernetes syncs the Secret with the pod, Aerospike Server picks up the new TLS certificates and uses them for newer connections created from that point on.