Federal Edition FIPS compliance for Aerospike on Kubernetes

Aerospike Federal Edition provides FIPS 140-2 validated cryptographic modules for organizations that require compliance with federal security standards. Aerospike Kubernetes Operator (AKO) supports deploying and managing Federal Edition clusters with PKI-based authentication.

Prerequisites

Before deploying a Federal Edition cluster:

• TLS certificates: Prepare TLS certificates for cluster communication and PKI authentication.
• Admin certificates: Generate admin certificates with the Common Name (CN) matching the admin username for PKI-based authentication.

Key differences from Aerospike Enterprise Edition

Federal Edition clusters have the following requirements:

Feature	Enterprise Edition	Federal Edition
Server image	aerospike/aerospike-server-enterprise	aerospike/aerospike-server-federal
Authentication	Password or PKI-based	PKI-based only (authMode: PKIOnly)
TLS	Optional	Required (mTLS)
Operator authentication	Password-based	Certificate-based (operatorClientCert)

PKI-Only authentication

Federal Edition requires PKI-based authentication.

When configuring users:

• Set authMode: PKIOnly for all users
• The secretName field is not required since password authentication is disabled
• The certificate’s Common Name (CN) must match the username

aerospikeAccessControl:
  users:
    - name: admin
      authMode: PKIOnly
      roles:
        - sys-admin
        - user-admin

Caution

Once a user’s authMode is set to PKIOnly, it cannot be reverted to Internal. This is a permanent change.

Client certificates

For Federal Edition clusters, AKO must authenticate using client certificates instead of passwords. Configure the operatorClientCert section of the CR:

operatorClientCert:
  secretCertSource:
    secretName: aerospike-secret
    caCertsFilename: cacert.pem
    clientCertFilename: admin_chain.pem    #admin user cert (CN must match admin username)
    clientKeyFilename: admin_key.pem       #admin user private key

The client certificate’s Common Name (CN) must match the admin username configured in aerospikeAccessControl.

Deploy a Federal Edition cluster

1. Create TLS secrets.

   Create a Kubernetes secret containing all the required certificates for mTLS and admin user authentication. The example secrets directory on GitHub includes a collection of example TLS certificates and security credentials. Download these files into a local folder called secrets.

   kubectl -n aerospike create secret generic aerospike-secret --from-file=config/samples/secrets

2. Create the cluster CR.

   Create a Federal Edition cluster using the following example CR:

   apiVersion: asdb.aerospike.com/v1
   kind: AerospikeCluster
   metadata:
     name: aerocluster
     namespace: aerospike
   spec:
     size: 2
     image: aerospike/aerospike-server-federal:8.1.0.0
   
     storage:
       filesystemVolumePolicy:
         cascadeDelete: true
         initMethod: deleteFiles
       volumes:
         - name: workdir
           aerospike:
             path: /opt/aerospike
           source:
             persistentVolume:
               storageClass: ssd
               volumeMode: Filesystem
               size: 1Gi
         - name: ns
           aerospike:
             path: /test/dev/xvdf
           source:
             persistentVolume:
               storageClass: ssd
               volumeMode: Block
               size: 3Gi
         - name: aerospike-config-secret
           source:
             secret:
               secretName: aerospike-secret
           aerospike:
             path: /etc/aerospike/secret
   
     podSpec:
       multiPodPerHost: true
   
     # PKI-based authentication for admin user
     aerospikeAccessControl:
       users:
         - name: admin
           authMode: PKIOnly
           roles:
             - sys-admin
             - user-admin
   
     # Operator client certificates for PKI authentication
     operatorClientCert:
       secretCertSource:
         secretName: aerospike-secret
         caCertsFilename: cacert.pem
         clientCertFilename: admin_chain.pem    #admin user cert (CN must match admin username)
         clientKeyFilename: admin_key.pem       #admin user private key
   
     aerospikeConfig:
       service:
         feature-key-file: /etc/aerospike/secret/features.conf
   
       security: {}
   
       network:
         service:
           tls-name: aerospike-a-0.test-runner
           tls-authenticate-client: any
           tls-port: 4333
         heartbeat:
           tls-name: aerospike-a-0.test-runner
           tls-port: 3012
         fabric:
           tls-name: aerospike-a-0.test-runner
           tls-port: 3011
         tls:
           - name: aerospike-a-0.test-runner
             cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
             key-file: /etc/aerospike/secret/svc_key.pem
             ca-file: /etc/aerospike/secret/cacert.pem
   
       namespaces:
         - name: test
           replication-factor: 2
           storage-engine:
             type: device
             devices:
               - /test/dev/xvdf

3. Apply the CR.

   kubectl apply -f aerospike-federal-cluster.yaml

Related documentation

• Access control - Configure users, roles, and authentication modes
• Manage TLS certificates - TLS configuration for Aerospike clusters
• Configuration reference - Complete CR configuration options