{
  "id": "configuration-secrets",
  "title": "Store configuration in Kubernetes Secrets",
  "url": "https://redis.io/docs/latest/operate/kubernetes/8.0/security/configuration-secrets/",
  "summary": "Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management.",
  "content": "\nYou can store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management. When you update these Secrets, the operator immediately reads the changes and propagates them to the Redis Enterprise Cluster (REC).\n\n## License configuration\n\nRedis Enterprise clusters require a valid license. You can apply licenses using Kubernetes Secrets (recommended) or embed them directly in the cluster specification.\n\n### Determine your cluster FQDN\n\nTo configure licensing, you need your Redis Enterprise cluster's fully qualified domain name (FQDN). Use this format: `\u003cREC-name\u003e.\u003cnamespace\u003e.svc.cluster.local`\n\nFor example: `my-rec.my-ns.svc.cluster.local`\n\n### Use a Kubernetes Secret (recommended)\n\n1. Create a secret from your license file:\n\n    ```sh\n    kubectl -n \u003cnamespace\u003e create secret generic rec-license --from-file=license=./license.txt\n    ```\n\n2. Add the secret reference to your REC specification:\n\n    ```yaml\n    spec:\n      licenseSecretName: rec-license\n    ```\n\n### Embed license directly in REC specification\n\nAlternatively, you can embed the license directly in the REC YAML:\n\n```yaml\nspec:\n  nodes: 3\n  license: |\n    ----- LICENSE START -----\n    eai14c/y6XNVykffDQSPUsHKcmpgOFUlmyTBDUEZEz+GLbXAgQFOmxcdbR9J\n    ...remaining license key content...\n    ----- LICENSE END -----\n```\n\n\nYou must include the pipe symbol (`|`) after `license:` and maintain proper indentation.\n\n\n## Cluster credential configuration\n\nRedis Enterprise clusters require admin credentials for the operator to manage the cluster. You can configure these credentials using Kubernetes Secrets.\n\n### Default behavior\n\nBy default, the operator automatically creates a secret with a random username and auto-generated password during cluster creation. The secret name defaults to the cluster name.\n\n### Customize the credential secret\n\nYou can customize the credential secret name during cluster creation using the `clusterCredentialSecretName` field in your REC specification. The secret must contain `username` and `password` fields.\n\n\nThe `clusterCredentialSecretName` field cannot be changed after cluster creation.\n\n\nFor detailed instructions, see [Customize the credential secret name](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-credentials#customize-the-credential-secret-name).\n\n## TLS certificate configuration\n\nYou can store TLS certificates in Kubernetes Secrets to secure communication between clients and Redis Enterprise databases.\n\n### Client certificates for mTLS\n\n1. Create a secret with your client certificate:\n\n    ```sh\n    kubectl -n \u003cnamespace\u003e create secret generic client-cert-secret --from-file=cert=\u003cpath-to-cert\u003e\n    ```\n\n2. Add the secret to your REDB using the `clientAuthenticationCertificates` property. See [Add client certificates](https://redis.io/docs/latest/operate/kubernetes/security/add-client-certificates) for details.\n\n### Service certificates\n\nTo configure certificates for proxy, API, or other services, create secrets with certificate and key files:\n\n```sh\nkubectl create secret generic \u003csecret-name\u003e \\\n  --from-file=certificate=\u003c/PATH/TO/certificate.pem\u003e \\\n  --from-file=key=\u003c/PATH/TO/key.pem\u003e \\\n  --from-literal=name=\u003cproxy | api | cm | syncer | metrics_exporter\u003e\n```\n\n### Internode encryption certificates\n\nYou can provide custom certificates for control plane and data plane internode encryption. Create separate secrets for each encryption type:\n\n```sh\nkubectl create secret generic cp-internode-cert \\\n  --from-file=certificate=\u003c/path/to/cp-certificate.pem\u003e \\\n  --from-file=key=\u003c/path/to/cp-key.pem\u003e \\\n  --from-literal=name=cp_internode_encryption\n```\n\n```sh\nkubectl create secret generic dp-internode-cert \\\n  --from-file=certificate=\u003c/path/to/dp-certificate.pem\u003e \\\n  --from-file=key=\u003c/path/to/dp-key.pem\u003e \\\n  --from-literal=name=dp_internode_encryption\n```\n\nReference these secrets in your REC specification under `spec.certificates`. See [Internode encryption](https://redis.io/docs/latest/operate/kubernetes/security/internode-encryption) for complete configuration details.\n\n## Best practices\n\n- Store sensitive configuration in Secrets rather than directly in YAML files.\n- Use `--from-file` to avoid manual base64 encoding.\n- Create secrets in the same namespace as your REC or REDB resources.\n- Use descriptive secret names for easy identification.\n- Regularly rotate certificates and update secrets.\n\n## See also\n\n- [Manage REC credentials](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-credentials)\n- [Manage REC certificates](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-certificates)\n- [Add client certificates](https://redis.io/docs/latest/operate/kubernetes/security/add-client-certificates)\n- [Redis Enterprise Cluster API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api)\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-06-04T14:49:57+01:00"
}