AeroLab can assist you in configuring TLS between client and server, as well as between server nodes.
First generate the configuration file with tls stanza.
aerolab conf generate
Select the “enabled” and “service” under “network-tls” portion and hit CTRL+X to save the file as aerospike.conf in your current directory.
Note: you can download the template configuration file from this repository, in the templates directory.
aerolab cluster create -o aerospike.conf -c 2 -n mytest
Using GCP? If so, your command will likely look more like the following:
aerolab cluster create -o aerospike.conf -c 2 -n mytest --instance e2-medium --zone us-central1-a --disk pd-balanced:20 --disk pd-ssd:40 --firewall aerolab-managed-external
The --instance and --zone should be adjusted to your particular GCP needs. The key thing to note here is the --firewall option. If you don’t specify this, Aerolab will not configure your cluster’s firewall to use the same rules as what other Aerolab examples expect.
aerolab tls generate -n mytest
aerolab aerospike restart -n mytest
Note: if using Docker Desktop, first run aerolab cluster list and grab the ExposedPort for node 1. Use that instead of 4333.
If you are connecting from one machine to another inside of a GCP deployment, use aerolab cluster list and grab the PrivateIP instead of the public IP.
aerolab attach shell -n mytest
# mutual auth off
aql --tls-enable --tls-cafile=/etc/aerospike/ssl/tls1/cacert.pem -h 127.0.0.1:tls1:4333
# mutual auth on
aql --tls-enable --tls-cafile=/etc/aerospike/ssl/tls1/cacert.pem --tls-keyfile=/etc/aerospike/ssl/tls1/key.pem --tls-certfile=/etc/aerospike/ssl/tls1/cert.pem -h 127.0.0.1:tls1:4333
tls generate will put certificates in the following path in the containers:
/etc/aerospike/{TLS_NAME}/cert.pem
/etc/aerospike/{TLS_NAME}/cacert.pem
/etc/aerospike/{TLS_NAME}/key.pem
As such, you can create and use multiple TLS names in your Aerospike config. For example:
network {
tls tls1 {
cert-file /etc/aerospike/ssl/tls1/cert.pem
key-file /etc/aerospike/ssl/tls1/key.pem
ca-file /etc/aerospike/ssl/tls1/cacert.pem
}
tls bob.domain.why.not {
cert-file /etc/aerospike/ssl/bob.domain.why.not/cert.pem
key-file /etc/aerospike/ssl/bob.domain.why.not/key.pem
ca-file /etc/aerospike/ssl/bob.domain.why.not/cacert.pem
}
If you use that in your template configuration file, snipped to make-cluster with the -o parameter, simply generate separate certificates for those 2 TLS names as follows:
aerolab tls generate -t tls1
aerolab tls generate -t bob.domain.why.not
TLS generation allows for multiple CA certificates. If a CA cert already exists with the given name, it will be reused. If it doesn’t, a new CA with that name will be generated.
AeroLab also has tls copy as a handy way to copy TLS certificates from one node to another (or one cluster to another).