# Federal Edition FIPS compliance for Aerospike on Kubernetes Aerospike Federal Edition provides FIPS 140-2 validated cryptographic modules for organizations that require compliance with federal security standards. Aerospike Kubernetes Operator (AKO) supports deploying and managing Federal Edition clusters with PKI-based authentication. ## Prerequisites Before deploying a Federal Edition cluster: - **TLS certificates**: Prepare TLS certificates for cluster communication and PKI authentication. - **Admin certificates**: Generate admin certificates with the Common Name (CN) matching the admin username for PKI-based authentication. ## Key differences from Aerospike Enterprise Edition Federal Edition clusters have the following requirements: | Feature | Enterprise Edition | Federal Edition | | --- | --- | --- | | Server image | `aerospike/aerospike-server-enterprise` | `aerospike/aerospike-server-federal` | | Authentication | Password or PKI-based | PKI-based only (`authMode: PKIOnly`) | | TLS | Optional | Required (mTLS) | | Operator authentication | Password-based | Certificate-based (`operatorClientCert`) | ## PKI-Only authentication Federal Edition requires PKI-based authentication. When configuring users: - Set `authMode: PKIOnly` for all users - The `secretName` field is not required since password authentication is disabled - The certificate’s Common Name (CN) must match the username ```yaml aerospikeAccessControl: users: - name: admin authMode: PKIOnly roles: - sys-admin - user-admin ``` ::: caution Once a user’s `authMode` is set to `PKIOnly`, it cannot be reverted to `Internal`. This is a permanent change. ::: ## Client certificates For Federal Edition clusters, AKO must authenticate using client certificates instead of passwords. Configure the `operatorClientCert` section of the CR: ```yaml operatorClientCert: secretCertSource: secretName: aerospike-secret caCertsFilename: cacert.pem clientCertFilename: admin_chain.pem #admin user cert (CN must match admin username) clientKeyFilename: admin_key.pem #admin user private key ``` The client certificate’s Common Name (CN) must match the admin username configured in `aerospikeAccessControl`. ## Deploy a Federal Edition cluster 1. Create TLS secrets. Create a Kubernetes secret containing all the required certificates for mTLS and admin user authentication. The [example secrets directory on GitHub](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples/secrets) includes a collection of example TLS certificates and security credentials. Download these files into a local folder called `secrets`. Terminal window ```shell kubectl -n aerospike create secret generic aerospike-secret --from-file=config/samples/secrets ``` 2. Create the cluster CR. Create a Federal Edition cluster using the following example CR: ```yaml apiVersion: asdb.aerospike.com/v1 kind: AerospikeCluster metadata: name: aerocluster namespace: aerospike spec: size: 2 image: aerospike/aerospike-server-federal:8.1.1.0 storage: filesystemVolumePolicy: cascadeDelete: true initMethod: deleteFiles volumes: - name: workdir aerospike: path: /opt/aerospike source: persistentVolume: storageClass: ssd volumeMode: Filesystem size: 1Gi - name: ns aerospike: path: /test/dev/xvdf source: persistentVolume: storageClass: ssd volumeMode: Block size: 3Gi - name: aerospike-config-secret source: secret: secretName: aerospike-secret aerospike: path: /etc/aerospike/secret podSpec: multiPodPerHost: true # PKI-based authentication for admin user aerospikeAccessControl: users: - name: admin authMode: PKIOnly roles: - sys-admin - user-admin # Operator client certificates for PKI authentication operatorClientCert: secretCertSource: secretName: aerospike-secret caCertsFilename: cacert.pem clientCertFilename: admin_chain.pem #admin user cert (CN must match admin username) clientKeyFilename: admin_key.pem #admin user private key aerospikeConfig: service: feature-key-file: /etc/aerospike/secret/features.conf security: {} network: service: tls-name: aerospike-a-0.test-runner tls-authenticate-client: any tls-port: 4333 heartbeat: tls-name: aerospike-a-0.test-runner tls-port: 3012 fabric: tls-name: aerospike-a-0.test-runner tls-port: 3011 tls: - name: aerospike-a-0.test-runner cert-file: /etc/aerospike/secret/svc_cluster_chain.pem key-file: /etc/aerospike/secret/svc_key.pem ca-file: /etc/aerospike/secret/cacert.pem namespaces: - name: test replication-factor: 2 storage-engine: type: device devices: - /test/dev/xvdf ``` 3. Apply the CR. Terminal window ```bash kubectl apply -f aerospike-federal-cluster.yaml ``` ## Related documentation - [Access control](https://aerospike.com/docs/kubernetes/manage/security/access-control) - Configure users, roles, and authentication modes - [Manage TLS certificates](https://aerospike.com/docs/kubernetes/manage/security/certificates) - TLS configuration for Aerospike clusters - [Configuration reference](https://aerospike.com/docs/kubernetes/reference/config-reference) - Complete CR configuration options