This is a prerelease version.

View latest

Configuring TLS

Hazelcast TLS is a security feature that provides encryption and authentication of data transmitted between Hazelcast nodes, preventing unauthorized access and eavesdropping.

Hazelcast TLS uses standard SSL/TLS certificates, which can be obtained from trusted Certificate Authorities (CA) or self-signed. The certificates are used to establish trust between the communicating parties and ensure the authenticity of the communication channel.

See TLS/SSL Basics for more detailed information about the configuration and behavior of TLS in Hazelcast.

Prerequisites for TLS

Before you create and configure TLS, you need to create a Kubernetes secret. The Operator uses the secret to create a truststore and keystore, and it modifies the Hazelcast configuration accordingly.

Example:

kubectl create secret generic example \
  --from-file=tls.crt=example.crt \
  --from-file=tls.key=example.key

ca.crt is optional. You can also provide it to create the truststore:

kubectl create secret generic example \
  --from-file=tls.crt=example.crt \
  --from-file=tls.key=example.key \
  --from-file=ca.crt=ca.crt
If you provide ca.crt, it creates a truststore using it, if you don’t create it, the truststore and keystore will be the same.
The Operator creates the keystore and truststore in PKCS12 format.
The provided tls.key must be unencrypted.

Configuring Hazelcast TLS

Below are the configuration options for the TLS.

Field Description

secretName

Specifies the name of Kubernetes TLS secret.

clientAuthentication

Mutual authentication configuration for client to member communication, available values are:

  • None (default): The client side of the connection is not authenticated.

  • Required: Server forces usage of a trusted client certificate.

  • Optional: Server asks for a client certificate, but it doesn’t require it.

memberAuthentication

Mutual authentication configuration for member to member communication, available values are:

  • None: The client side of the connection is not authenticated.

  • Required(default): Server forces usage of a trusted client certificate.

  • Optional: Server asks for a client certificate, but it doesn’t require it.

Example Configuration

The example configuration does the following:

  • Enables member to member and member-client Hazelcast TLS connections

  • Enforces mutual TLS authentication for cluster members

Example Hazelcast configuration
apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
spec:
  clusterSize: 3
  repository: 'docker.io/hazelcast/hazelcast-enterprise'
  licenseKeySecretName: hazelcast-license-key
  tls:
    secretName: example
Example Management Center configuration
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
  name: managementcenter
spec:
  repository: 'hazelcast/management-center'
  licenseKeySecretName: hazelcast-license-key
  hazelcastClusters:
  - address: hazelcast
    name: dev
    tls:
      secretName: example
To update TLS certificates, you need to delete and recreate the appropriate custom resource.