{ "id": "manage-rec-certificates", "title": "Manage Redis Enterprise cluster (REC) certificates", "url": "https://redis.io/docs/latest/operate/kubernetes/8.0.18/security/manage-rec-certificates/", "summary": "Install your own certificates to replace the self-signed certificates used by a Redis Enterprise cluster on Kubernetes.", "content": "\nRedis Software for Kubernetes generates self-signed TLS certificates for each new cluster. You can replace any of those certificates with your own.\n\nYou can manage REC certificates in two ways:\n\n- **[Method 1: Manage certificates with the REC custom resource](#method-1-manage-certificates-with-the-rec-custom-resource)** (recommended). Store each certificate in a Kubernetes secret and reference the secret from the REC custom resource. The operator applies the certificate and keeps the cluster in sync with the secret. Use this method whenever the certificate type is exposed in `spec.certificates`.\n- **[Method 2: Manage certificates with the Redis Software REST API](#method-2-manage-certificates-with-the-redis-software-rest-api)**. Call the cluster's REST API directly, bypassing the operator. Use this method only when you need to follow the Redis Software procedure for a cluster that does not define the certificate in `spec.certificates`. The operator overwrites changes made this way if the same certificate is also defined in the REC custom resource.\n\nFor the list of certificates and what each one encrypts, see the [certificates table](https://redis.io/docs/latest/operate/rs/security/certificates).\n\n## Method 1: Manage certificates with the REC custom resource\n\nThis is the Kubernetes-native method. The operator detects changes to a referenced secret and rotates the certificate without manual intervention. You can create the secret manually, or have [cert-manager](https://redis.io/docs/latest/operate/kubernetes/security/cert-manager) issue and renew it automatically.\n\n### Supported certificates\n\nThe REC custom resource lets you replace these certificates through `spec.certificates`:\n\n| Certificate | REC custom resource field | Certificate name in Redis Software |\n| ---------------------------------- | --------------------------------------------- | ---------------------------------- |\n| API | `apiCertificateSecretName` | `api` |\n| Cluster Manager UI | `cmCertificateSecretName` | `cm` |\n| Control plane internode encryption | `cpInternodeEncryptionCertificateSecretName` | `cp_internode_encryption` |\n| Data plane internode encryption | `dpInternodeEncryptionCertificateSecretName` | `dp_internode_encryption` |\n| LDAP client | `ldapClientCertificateSecretName` | `ldap_client` |\n| Metrics exporter | `metricsExporterCertificateSecretName` | `metrics_exporter` |\n| Proxy | `proxyCertificateSecretName` | `proxy` |\n| SSO issuer (SAML IdP) | `ssoIssuerCertificateSecretName` | `sso_issuer` |\n| SSO service (SAML SP) | `ssoServiceCertificateSecretName` | `sso_service` |\n| Syncer | `syncerCertificateSecretName` | `syncer` |\n\nRotating any of these certificates does not restart REC pods.\n\n### Step 1: Create a secret for the certificate\n\nCreate a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the PEM-encoded certificate and key:\n\n```sh\nkubectl create secret generic \u003csecret-name\u003e \\\n --from-file=certificate=\u003c/path/to/certificate.pem\u003e \\\n --from-file=key=\u003c/path/to/key.pem\u003e\n```\n\nChoose any value for `\u003csecret-name\u003e`; you'll reference it from `spec.certificates` in [Step 2](#step-2-reference-the-secret-in-the-rec-custom-resource). The operator resolves which Redis Software certificate to replace from the REC field name, not from the secret.\n\n#### Supported secret keys\n\nThe operator accepts several key names for the certificate and private key, so you can use either an opaque secret or a [kubernetes.io/tls](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) secret (the format that cert-manager produces):\n\n| Field | Accepted secret keys |\n| ----------- | ------------------------------------- |\n| Certificate | `cert`, `certificate`, or `tls.crt` |\n| Private key | `key` or `tls.key` |\n\nOn Redis Software for Kubernetes versions older than 8.0.18, also include `--from-literal=name=\u003ccertificate-name\u003e` in the `kubectl create secret` command, where `\u003ccertificate-name\u003e` is the value from the **Certificate name in Redis Software** column in the [supported certificates](#supported-certificates) table.\n\nFor internode encryption certificates, see [Internode encryption](https://redis.io/docs/latest/operate/kubernetes/security/internode-encryption) for the full setup, which covers enabling internode encryption alongside the certificate configuration.\n\n### Step 2: Reference the secret in the REC custom resource\n\nEdit the REC custom resource and add a `certificates` section under `spec`. Include only the fields for the certificates you are replacing; omit the rest.\n\n```yaml\nspec:\n certificates:\n apiCertificateSecretName: \u003capicert-secret-name\u003e\n cmCertificateSecretName: \u003ccmcert-secret-name\u003e\n cpInternodeEncryptionCertificateSecretName: \u003ccpine-secret-name\u003e\n dpInternodeEncryptionCertificateSecretName: \u003cdpine-secret-name\u003e\n ldapClientCertificateSecretName: \u003cldapcert-secret-name\u003e\n metricsExporterCertificateSecretName: \u003cmetricscert-secret-name\u003e\n proxyCertificateSecretName: \u003cproxycert-secret-name\u003e\n ssoIssuerCertificateSecretName: \u003cssoissuer-secret-name\u003e\n ssoServiceCertificateSecretName: \u003cssoservice-secret-name\u003e\n syncerCertificateSecretName: \u003csyncercert-secret-name\u003e\n```\n\nApply the updated REC custom resource:\n\n```sh\nkubectl apply -f \u003crec-file\u003e.yaml\n```\n\nThe operator detects the change and rotates the certificate on the cluster. New client connections use the new certificate; existing connections continue with the old one until they reconnect.\n\n### Step 3: Verify the rotation (optional)\n\nTo confirm that the new certificate is in place, call the Redis Software REST API and list the active cluster certificates:\n\n```http\nGET /v1/cluster/certificates\n```\n\n## Method 2: Manage certificates with the Redis Software REST API\n\nUse the Redis Software REST API or `rladmin` directly against the cluster, bypassing the operator.\n\nIf `spec.certificates` in the REC custom resource defines the same certificate, the operator overwrites your API change. Before you update a certificate through the REST API, remove the corresponding field from `spec.certificates`, or apply the same change in both places.\n\nFor the procedure, including the `rladmin` and REST API examples, see [Update certificates](https://redis.io/docs/latest/operate/rs/security/certificates/updating-certificates).\n\nAfter the update, verify the rotation as described in [Step 3](#step-3-verify-the-rotation-optional).\n\n## Active-Active database certificate updates\n\nThe operator automates certificate updates for [Active-Active](https://redis.io/docs/latest/operate/kubernetes/active-active) databases. When you update the proxy or syncer certificate secret referenced by the REC, the operator detects the change and propagates the new certificate to all participating clusters.\n\nThis automation applies whether you manage the secret directly or with [cert-manager](https://redis.io/docs/latest/operate/kubernetes/security/cert-manager#active-active-databases-with-automatic-certificate-sync).\n\n## More info\n\n- [Update certificates](https://redis.io/docs/latest/operate/rs/security/certificates/updating-certificates)\n- [Install your own certificates](https://redis.io/docs/latest/operate/rs/security/certificates/create-certificates)\n- [Certificates table](https://redis.io/docs/latest/operate/rs/security/certificates)\n- [Glossary/Transport Layer Security (TLS)](https://redis.io/docs/latest/glossary#letter-t)\n", "tags": ["docs","operate","kubernetes"], "last_updated": "2026-06-04T14:49:57+01:00" }