Skip to content
Visit booth 3171 at Google Cloud Next to see how to unlock real-time decisions at scaleMore info

TLS Certificates for Aerospike on Kubernetes

To set up a TLS-enabled Aerospike cluster, first use kubectl to create a Kubernetes Secret containing the TLS certificates and key.

  1. Run the following command to create a Secret from the contents of the config/samples/secrets folder:

    Terminal window
    kubectl create secret generic aerospike-secret --from-file=config/samples/secrets -n aerospike

    See the Aerospike documentation for more details on Aerospike TLS configuration.

  2. Add the TLS-specific configuration to the Aerospike cluster’s CR file. Modify the aerospikeConfig.network stanza as shown in the following example:

      storage:
        filesystemVolumePolicy:
          cascadeDelete: true
          initMethod: deleteFiles
        volumes:
          - name: workdir
            aerospike:
              path: /opt/aerospike
            source:
              persistentVolume:
                storageClass: ssd
                volumeMode: Filesystem
                size: 1Gi
          - name: ns
            aerospike:
              path: /opt/aerospike/data
            source:
              persistentVolume:
                storageClass: ssd
                volumeMode: Filesystem
                size: 3Gi
          - name: aerospike-config-secret
            source:
              secret:
                secretName: aerospike-secret
            aerospike:
              path: /etc/aerospike/secret
    

      aerospikeConfig:
        service:
          feature-key-file: /etc/aerospike/secret/features.conf
        security: {}
        network:
          service:
            tls-name: aerospike-a-0.test-runner
            tls-authenticate-client: any
            tls-port: 4333
          heartbeat:
            tls-name: aerospike-a-0.test-runner
            tls-port: 3012
          fabric:
            tls-name: aerospike-a-0.test-runner
            tls-port: 3011
          tls:
            - name: aerospike-a-0.test-runner
              cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
              key-file: /etc/aerospike/secret/svc_key.pem
              ca-file: /etc/aerospike/secret/cacert.pem

    For the full CR file, see the example TLS cluster CR.

    This and other example CRs are available in the main Aerospike Kubernetes Operator repository.

  3. Save and exit the file, then use kubectl to apply the change.

    Terminal window
    kubectl apply -f aerospike-cluster.yaml

Rotate TLS certificates

To change the TLS certificate:

  1. Update the TLS file(s) that contain the certificates and keys. Use the same filename(s) you originally added to the secrets folder.

  2. Update the Secret from that folder with the command:

    Terminal window
    kubectl create secret generic aerospike-secret --from-file=. -n aerospike --dry-run=client -o yaml | kubectl apply -f -

Kubernetes automatically syncs Secrets and config maps on the pods at regular intervals as described here in the official Kubernetes documentation. After Kubernetes syncs the Secret with the pod, Aerospike Server picks up the new TLS certificates and uses them for newer connections created from that point on.

Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?