Manage Redis Enterprise cluster (REC) certificates

Install your own certificates to be used by the Redis Enterprise cluster's operator.

Redis Enterprise for Kubernetes
Note:
To automate certificate management, you can use cert-manager instead of manually created secrets. See cert-manager integration for details.

By default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes added to the cluster. For the list of of certificates used by Redis Enterprise Software and the traffic they encrypt, see the certificates table.

To install and use your own certificates with Kubernetes on your Redis Enterprise cluster, they need to be stored in secrets. The REC custom resource also needs to be configured with those secret names to read and use the certificates.

Create a secret to hold the new certificate

Create the secret with the required fields shown below.

kubectl create secret generic <secret-name> \
  --from-file=certificate=</PATH/TO/certificate.pem> \
  --from-file=key=</PATH/TO/key.pem> \
  --from-literal=name=<proxy | api | cm | syncer | metrics_exporter | cp_internode_encryption | dp_internode_encryption>
Note:
For internode encryption certificates, see Internode encryption for detailed configuration instructions.

Update certificates in the REC custom resource

Edit the Redis Enterprise cluster (REC) custom resource to add a certificates subsection under the spec section. You are only required to add the fields for the certificates you are installing.

spec:
  certificates:
    apiCertificateSecretName: <apicert-secret-name>
    cmCertificateSecretName: <cmcert-secret-name>
    syncerCertificateSecretName: <syncercert-secret-name>
    metricsExporterCertificateSecretName: <metricscert-secret-name>
    proxyCertificateSecretName: <proxycert-secret-name>
    cpInternodeEncryptionCertificateSecretName: <cpine-secret-name>
    dpInternodeEncryptionCertificateSecretName: <dpine-secret-name>

Update certificates through the API

Alternatively, you can also update the REC certificates via the API:

PUT /v1/cluster/update_cert
{
   "certificate": <certificate>, 
   "key": <cert-key>,
   "name": <cert-name> 
}

Verify the certificate was updated

Check the operator logs and use the API to verify the certificate has been updated.

GET /v1/cluster/certificates

Active-Active database certificate updates

The operator automates certificate updates for Active-Active databases. When you update the proxy or syncer certificate secret referenced by the REC, the operator detects the change and propagates the new certificate to all participating clusters.

This automation applies whether you manage the secret directly or with cert-manager.

More info

RATE THIS PAGE
Back to top ↑