By default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes added to the cluster.

Below are the names of certificates used by Redis Enterprise Software and the traffic they encrypt:

  • proxy - for connections between clients and database endpoints
  • api - for REST API calls
  • cm - for connections to the management admin console
  • syncer - for Active-Active and Replica Of synchronization between Redis Enterprise clusters
  • metrics_exporter - for exporting metrics to Prometheus

To install and use your own certificates with Kubernetes on your Redis Enterprise cluster, they need to be stored in secrets. The REC custom resource also needs to be configured with those secret names to read and use the certificates.

Create a secret to hold the new certificate

  1. Create the secret config file with the required fields shown below.

    apiVersion: v1
    kind: Secret
    type: Opaque
      name: <secret-name>
      name: { proxy | api | cm | syncer | metrics_exporter } 
      certificate: <certificate-string>
      key:  <key-string>  
  2. Apply the file to create the secret resource.

    kubectl apply -f <secret-name>.yaml

Update certificates in the REC custom resource

Edit the Redis Enterprise cluster (REC) custom resource to add a certificates subsection under the spec section. You are only required to add the fields for the certificates you are installing.

    apiCertificateSecretName: <apicert-secret-name>
    cmCertificateSecretName: <cmcert-secret-name>
    syncerCertificateSecretName: <syncercert-secret-name>
    metricsExporterCertificateSecretName: <metricscert-secret-name>
    proxyCertificateSecretName: <proxycert-secret-name>

Update certificates through the API

Alternatively, you can also update the REC certificates via the API:

PUT /v1/cluster/update_cert
   "certificate": <certificate>, 
   "key": <cert-key>,
   "name": <cert-name> 

Verify the certificate was updated

Check the operator logs and use the API to verify the certificate has been updated.

GET /v1/cluster/certificates

More info