Skip to main content
We are excited to be a part of AWS re:Invent 2024. Visit us at booth #1844 in Las Vegas.More info
Loading
Version: Operator 3.4.0

TLS Certificates for Aerospike on Kubernetes

To set up a TLS-enabled Aerospike cluster, first use kubectl to create a Kubernetes Secret containing the TLS certificates and key. For example, the command to create a Secret from the contents of the config/samples/secrets folder is:

kubectl create secret generic aerospike-secret --from-file=config/samples/secrets -n aerospike

See the Aerospike documentation for more details on Aerospike TLS configuration.

Next, add the TLS-specific configuration to the Aerospike cluster's CR file.

  storage:
    filesystemVolumePolicy:
      cascadeDelete: true
      initMethod: deleteFiles
    volumes:
      - name: workdir
        aerospike:
          path: /opt/aerospike
        source:
          persistentVolume:
            storageClass: ssd
            volumeMode: Filesystem
            size: 1Gi
      - name: ns
        aerospike:
          path: /opt/aerospike/data
        source:
          persistentVolume:
            storageClass: ssd
            volumeMode: Filesystem
            size: 3Gi
      - name: aerospike-config-secret
        source:
          secret:
            secretName: aerospike-secret
        aerospike:
          path: /etc/aerospike/secret

  aerospikeConfig:
    service:
      feature-key-file: /etc/aerospike/secret/features.conf
    security: {}
    network:
      service:
        tls-name: aerospike-a-0.test-runner
        tls-authenticate-client: any
        tls-port: 4333
      heartbeat:
        tls-name: aerospike-a-0.test-runner
        tls-port: 3012
      fabric:
        tls-name: aerospike-a-0.test-runner
        tls-port: 3011
      tls:
        - name: aerospike-a-0.test-runner
          cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
          key-file: /etc/aerospike/secret/svc_key.pem
          ca-file: /etc/aerospike/secret/cacert.pem

For the full CR file, see the example TLS cluster CR.

This and other example CRs are available in the main Aerospike Kubernetes Operator repository.

Save and exit the file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Rotate TLS certificates

To change the TLS certificate:

  1. Update the TLS file(s) that contain the certificates and keys. Use the same filename(s) you originally added to the secrets folder.

  2. Update the Secret from that folder with the command:

kubectl create secret generic aerospike-secret --from-file=. -n aerospike --dry-run=client -o yaml | kubectl apply -f -

Kubernetes automatically syncs Secrets and config maps on the pods at regular intervals as described here in the official Kubernetes documentation. After Kubernetes syncs the Secret with the pod, Aerospike Server picks up the new TLS certificates and uses them for newer connections created from that point on.

Last updated on