Configuring TLS
Hazelcast TLS is a security feature that provides encryption and authentication of data transmitted between Hazelcast nodes, preventing unauthorized access and eavesdropping.
Hazelcast TLS uses standard SSL/TLS certificates, which can be obtained from trusted Certificate Authorities (CA) or self-signed. The certificates are used to establish trust between the communicating parties and ensure the authenticity of the communication channel.
See TLS/SSL Basics for more detailed information about the configuration and behavior of TLS in Hazelcast.
Prerequisites for TLS
Before you create and configure TLS, you need to create a Kubernetes secret. The Operator uses the secret to create a truststore and keystore, and it modifies the Hazelcast configuration accordingly.
Example:
kubectl create secret generic example \
--from-file=tls.crt=example.crt \
--from-file=tls.key=example.key
ca.crt
is optional. You can also provide it to create the truststore:
kubectl create secret generic example \
--from-file=tls.crt=example.crt \
--from-file=tls.key=example.key \
--from-file=ca.crt=ca.crt
If you provide ca.crt , it creates a truststore using it, if you don’t create it, the truststore and keystore will be the same.
|
The Operator creates the keystore and truststore in PKCS12 format. |
The provided tls.key must be unencrypted.
|
Configuring Hazelcast TLS
Below are the configuration options for the TLS.
Field | Description |
---|---|
|
Specifies the name of Kubernetes TLS secret. |
|
Mutual authentication configuration for client to member communication, available values are:
|
|
Mutual authentication configuration for member to member communication, available values are:
|
Example Configuration
The example configuration does the following:
-
Enables member to member and member-client Hazelcast TLS connections
-
Enforces mutual TLS authentication for cluster members
apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
name: hazelcast
spec:
clusterSize: 3
repository: 'docker.io/hazelcast/hazelcast-enterprise'
licenseKeySecretName: hazelcast-license-key
tls:
secretName: example
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
name: managementcenter
spec:
repository: 'hazelcast/management-center'
licenseKeySecretName: hazelcast-license-key
hazelcastClusters:
- address: hazelcast
name: dev
tls:
secretName: example
To update TLS certificates, you need to delete and recreate the appropriate custom resource. |