The CockroachDB operator is in .
TLS configuration options
You can either allow the operator to generate self-signed certificates, provide a custom CA certificate and generate all other certificates, or use your own certificates.All self-signed certificates
By default, the certificates are created automatically by a self-signer utility, which requires no configuration beyond setting a custom certificate duration if desired. This utility usescockroach cert to automatically generate self-signed certificates for the nodes and root client which are stored in a secret. You can see these certificates by running kubectl get secrets:
If you are deploying on OpenShift you must also set
cockroachdb.tls.selfSigner.securityContext.enabled to false to mitigate stricter security policies.Custom CA certificate
If you wish to supply your own CA certificates to the deployed nodes but allow automatic generation of client certificates, create a Kubernetes secret with the custom CA certificate. To perform these steps using thecockroach cert command:
cockroachdb.tls.selfSigner.caProvided to true and specify the secret where the certificate is stored:
cockroachdb.tls.selfSigner.securityContext.enabled to false to mitigate stricter security policies.
All custom certificates
Set up your certificates and load them into your Kubernetes cluster as secrets using the following commands:The subject alternative names are based on a release called
my-release in the cockroach-ns namespace. Make sure they match the services created with the release during Helm install.cockroachdb.tls.certManager.enabled to true, and cockroachdb.tls.certManager.issuer to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer that you have set up in the cluster:
cert-manager, the secret will contain files named: ca.crt, tls.crt, and tls.key. For CockroachDB, rename these files as applicable to match the following naming scheme: ca.crt, node.crt, node.key, client.root.crt, and client.root.key.
Add the following to the values file:
- : The name of the Kubernetes secret that contains the generated node certificate and key.
- : The name of the Kubernetes secret that contains the generated client certificate and key.
Example: Generate and sign custom certificates using cockroach cert
The following example uses to generate and sign the CockroachDB node and client certificates. To learn more about the supported methods of signing certificates, refer to .
-
Create two directories:
-
Create the CA certificate and key pair:
-
Create a client certificate and key pair for the root user:
-
Upload the client certificate and key to the Kubernetes cluster as a secret, renaming them to the filenames required by the :
-
Create the certificate and key pair for your CockroachDB nodes, specifying the namespace you used when deploying the cluster. This example uses the
cockroach-nsnamespace: -
Upload the node certificate and key to the Kubernetes cluster as a secret, renaming them to the filenames required by the :
-
Check that the secrets were created on the cluster:
-
Add
cockroachdb.tls.externalCertificates.certificates.nodeSecretNameandcockroachdb.tls.externalCertificates.certificates.nodeClientSecretNameto the values file used to deploy the cluster:
Rotate security certificates
You may need to rotate the node, client, or CA certificates in the following scenarios:- The node, client, or CA certificates are expiring soon.
- Your organization’s compliance policy requires periodic certificate rotation.
- The key (for a node, client, or CA) is compromised.
- You need to modify the contents of a certificate, for example, to add another DNS name or the IP address of a load balancer through which a node can be reached. In this case, you would need to rotate only the node certificates.
Example: Manually rotate certificates signed with cockroach cert
If you previously created and signed certificates with cockroach cert, follow these steps to manually rotate the certificates using the same CA:
-
Create a new client certificate and key pair for the root user, overwriting the previous certificate and key:
-
Upload the new client certificate and key to the Kubernetes cluster as a new secret, renaming them to the filenames required by the :
-
Create a new certificate and key pair for your CockroachDB nodes, overwriting the previous certificate and key. Specify the namespace you used when . This example uses the
cockroach-nsnamespace: -
Upload the new node certificate and key to the Kubernetes cluster as a new secret, renaming them to the filenames required by the :
-
Add
cockroachdb.tls.externalCertificates.certificates.nodeClientSecretNameandcockroachdb.tls.externalCertificates.certificates.nodeSecretNameto the values file used to : -
Check that the secrets were created on the cluster:
Remember that
nodeSecretName and nodeClientSecretName in the operator configuration must specify these secret names. For details, see the .-
Apply the new settings to the cluster:
The pods will terminate and restart one at a time, using the new certificates. You can observe this process:
-
Delete the existing client secret that is no longer in use:
-
Delete the existing node secret that is no longer in use:
Secure the webhooks
The operator ships with both mutating and validating webhooks. Communication between the Kubernetes API server and the webhook service must be secured with TLS. By default, the searches for the TLS secretcockroach-operator-certs, which contains a CA certificate. If the secret is not found, the operator auto-generates cockroach-operator-certs with a CA certificate for future runs.
The operator then generates a one-time server certificate for the webhook server that is signed with cockroach-operator-certs. Finally, the CA bundle for both mutating and validating webhook configurations is patched with the CA certificate.
You can also use your own certificate authority rather than cockroach-operator-certs. Both the certificate and key files you generate must be PEM-encoded. See the following example.
Example: Using OpenSSL to secure the webhooks
These steps demonstrate how to use the openssl genrsa and openssl req subcommands to secure the webhooks on a running Kubernetes cluster:-
Generate a 4096-bit RSA private key:
-
Generate an X.509 certificate, valid for 10 years. You will be prompted for the certificate field values.
-
Create the secret, making sure that you are in the correct namespace:
-
Remove the certificate and key from your local environment:
-
Roll the operator deployment to ensure a new server certificate is generated:

