Encryption
The quorum and client communication are encrypted by default via TLS. This requires the Secret Operator to be present in order to provide certificates. The utilized certificates can be changed in a top-level config.
---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperCluster
metadata:
name: simple-zk
spec:
image:
productVersion: 3.8.3
clusterConfig:
tls:
serverSecretClass: tls (1)
quorumSecretClass: tls (2)
servers:
roleGroups:
default:
replicas: 3
1 | The tls.server.secretClass refers to the client-to-server encryption. Defaults to the tls secret. |
2 | The tls.quorum.secretClass refers to the server-to-server quorum encryption. Defaults to the tls secret. |
The tls
secret is deployed from the Secret Operator and looks like this:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: tls
spec:
backend:
autoTls:
ca:
secret:
name: secret-provisioner-tls-ca
namespace: default
autoGenerate: true
You can create your own secrets and reference them e.g. in the tls.secretClass
to use different certificates.