Encryption

The quorum and client communication are encrypted by default via TLS. This requires the Secret Operator to be present in order to provide certificates. The utilized certificates can be changed in a top-level config.

---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperCluster
metadata:
  name: simple-zk
spec:
  image:
    productVersion: 3.9.1
  clusterConfig:
    tls:
      serverSecretClass: tls (1)
      quorumSecretClass: tls (2)
  servers:
    roleGroups:
      default:
        replicas: 3
1 The tls.server.secretClass refers to the client-to-server encryption. Defaults to the tls secret.
2 The tls.quorum.secretClass refers to the server-to-server quorum encryption. Defaults to the tls secret.

The tls secret is deployed from the Secret Operator and looks like this:

---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: tls
spec:
  backend:
    autoTls:
      ca:
        secret:
          name: secret-provisioner-tls-ca
          namespace: default
        autoGenerate: true

You can create your own secrets and reference them e.g. in the tls.secretClass to use different certificates.