# TLS certificates for Aerospike on Kubernetes

## Set up a TLS-enabled cluster

To set up a TLS-enabled Aerospike cluster, first use kubectl to create a Kubernetes Secret containing the TLS certificates and key.

1.  Run the following command to create a Secret from the contents of the `config/samples/secrets` folder:
    
    Terminal window
    
    ```shell
    kubectl create secret generic aerospike-secret --from-file=config/samples/secrets -n aerospike
    ```
    
    See the Aerospike documentation for [more details on Aerospike TLS configuration](https://aerospike.com/docs/database/manage/network/tls).
    
2.  Add the TLS-specific configuration to the Aerospike cluster’s Custom Resource (CR) file. Modify the `aerospikeConfig.network` stanza as shown in the following example:
    
    ```yaml
    storage:
    
        filesystemVolumePolicy:
    
          cascadeDelete: true
    
          initMethod: deleteFiles
    
        volumes:
    
          - name: workdir
    
            aerospike:
    
              path: /opt/aerospike
    
            source:
    
              persistentVolume:
    
                storageClass: ssd
    
                volumeMode: Filesystem
    
                size: 1Gi
    
          - name: ns
    
            aerospike:
    
              path: /opt/aerospike/data
    
            source:
    
              persistentVolume:
    
                storageClass: ssd
    
                volumeMode: Filesystem
    
                size: 3Gi
    
          - name: aerospike-config-secret
    
            source:
    
              secret:
    
                secretName: aerospike-secret
    
            aerospike:
    
              path: /etc/aerospike/secret
    
      aerospikeConfig:
    
        service:
    
          feature-key-file: /etc/aerospike/secret/features.conf
    
        security: {}
    
        network:
    
          service:
    
            tls-name: aerospike-a-0.test-runner
    
            tls-authenticate-client: any
    
            tls-port: 4333
    
          heartbeat:
    
            tls-name: aerospike-a-0.test-runner
    
            tls-port: 3012
    
          fabric:
    
            tls-name: aerospike-a-0.test-runner
    
            tls-port: 3011
    
          tls:
    
            - name: aerospike-a-0.test-runner
    
              cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
    
              key-file: /etc/aerospike/secret/svc_key.pem
    
              ca-file: /etc/aerospike/secret/cacert.pem
    ```
    
    For the full CR file, see the [example TLS cluster CR](https://github.com/aerospike/aerospike-kubernetes-operator/blob/v4.3.0/config/samples/tls_cluster_cr.yaml).
    
    This and other example CRs are available in [the main Aerospike Kubernetes Operator repository](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples).
    
3.  Save and exit the file, then use `kubectl` to apply the change.
    
    Terminal window
    
    ```shell
    kubectl apply -f aerospike-cluster.yaml
    ```
    

## Rotate TLS certificates

To change the TLS certificate:

1.  Update the TLS file(s) that contain the certificates and keys. Use the same filename(s) you originally added to the `secrets` folder.
    
2.  Update the Secret from that folder with the command:
    
    Terminal window
    
    ```shell
    kubectl create secret generic aerospike-secret --from-file=. -n aerospike --dry-run=client -o yaml | kubectl apply -f -
    ```
    

Kubernetes automatically syncs Secrets and config maps on the pods at regular intervals [as described here in the official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/#mounted-secrets-are-updated-automatically). After Kubernetes syncs the Secret with the pod, Aerospike Server picks up the new TLS certificates and uses them for newer connections created from that point on.