Encryption

The quorum and client communication are encrypted by default via TLS. This requires the Secret Operator to be present in order to provide certificates. The utilized certificates can be changed in a top-level config.

---
apiVersion: zookeeper.stackable.tech/v1alpha1
kind: ZookeeperCluster
metadata:
  name: simple-zk
spec:
  image:
    productVersion: 3.9.2
  clusterConfig:
    tls:
      serverSecretClass: tls (1)
      quorumSecretClass: tls (2)
  servers:
    roleGroups:
      default:
        replicas: 3

1	The `tls.server.secretClass` refers to the client-to-server encryption. Defaults to the `tls` secret.
2	The `tls.quorum.secretClass` refers to the server-to-server quorum encryption. Defaults to the `tls` secret.

The tls secret is deployed from the Secret Operator and looks like this:

---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: tls
spec:
  backend:
    autoTls:
      ca:
        secret:
          name: secret-provisioner-tls-ca
          namespace: default
        autoGenerate: true

You can create your own secrets and reference them e.g. in the tls.secretClass to use different certificates.