Encryption
The quorum and client communication are encrypted by default via TLS. This requires the Secret Operator to be present in order to provide certificates. The utilized certificates can be changed in a top-level config.
---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperCluster
metadata:
name: simple-zk
spec:
image:
productVersion: 3.9.5
clusterConfig:
tls:
serverSecretClass: tls (1)
quorumSecretClass: tls (2)
servers:
roleGroups:
default:
replicas: 3
| 1 | The tls.serverSecretClass refers to the client-to-server encryption. Defaults to the tls secret. |
| 2 | The tls.quorumSecretClass refers to the server-to-server quorum encryption. Defaults to the tls secret. |
The tls secret is deployed from the Secret Operator and looks like this:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: tls
spec:
backend:
autoTls:
ca:
secret:
name: secret-provisioner-tls-ca
namespace: default
autoGenerate: true
You can create your own secrets and reference them in tls.serverSecretClass or tls.quorumSecretClass to use different certificates.
Configuring a client AuthenticationClass via Authentication overrides the tls.serverSecretClass setting.
|