This article assumes you have already using the Public operator or Helm. However, it’s possible to configure these settings before starting CockroachDB on Kubernetes.
cert-manager for certificate management. For details, refer to Deploy cert-manager for mTLS.
This page is for Kubernetes deployments that are not using the CockroachDB operator. For guidance specific to the CockroachDB operator, read .
New deployments of CockroachDB on Kubernetes are recommended to use the newer, fully-featured CockroachDB operator that’s easier to deploy and supports scaling of multi-region clusters. To migrate an existing deployment to use the CockroachDB operator, read the and migration guides.
New deployments of CockroachDB on Kubernetes are recommended to use the newer, fully-featured CockroachDB operator that’s easier to deploy and supports scaling of multi-region clusters. To migrate an existing deployment to use the CockroachDB operator, read the and migration guides.
This page explains how to:
- Authenticate a Public operator or Helm deployment using a custom CA
- Rotate security certificates
- Secure the webhooks (public perator)
If you are running a secure Helm deployment on Kubernetes 1.22 and later, you must migrate away from using the Kubernetes CA for cluster authentication. The recommended approach is to use
cert-manager for certificate management. For details, refer to Deploy cert-manager for mTLS.All
kubectl steps should be performed in the . By default, this is cockroach-operator-system.Use a custom CA
By default, the Public operator will generate and sign 1 client and 1 node certificate to secure the cluster. To use your own certificate authority instead, add the following to the Public operator’s custom resource before :- : The name of the Kubernetes secret that contains the generated node certificate and key.
- : The name of the Kubernetes secret that contains the generated client certificate and key.
tls.crt and tls.key.
Apply the new settings to the cluster:
- : The name of the Kubernetes secret that contains the generated node certificate and key.
- : The name of the Kubernetes secret that contains the generated client certificate and key.
Example: Authenticate with cockroach cert
This example uses to generate and sign the CockroachDB node and client certificates. To learn more about the supported methods of signing certificates, refer to .
Complete the following steps before .
-
Create two directories:
Directory Description certsYou’ll generate your CA certificate and all node and client certificates and keys in this directory. my-safe-directoryYou’ll generate your CA key in this directory and then reference the key when generating node and client certificates. -
Create the CA certificate and key pair:
-
Create a client certificate and key pair for the root user:
-
Upload the client certificate and key to the Kubernetes cluster as a secret, renaming them to the filenames required by the Public operator:
-
Create the certificate and key pair for your CockroachDB nodes, specifying the namespace you used when . This example uses the Public operator’s default namespace (
cockroach-operator-system): -
Upload the node certificate and key to the Kubernetes cluster as a secret, renaming them to the filenames required by the Public operator:
-
Check that the secrets were created on the cluster:
-
Add
nodeTLSSecretandclientTLSSecretto the Public operator’s , specifying the generated secret names: -
Create two directories:
Directory Description certsYou’ll generate your CA certificate and all node and client certificates and keys in this directory. my-safe-directoryYou’ll generate your CA key in this directory and then reference the key when generating node and client certificates. -
Create the CA certificate and key pair:
-
Create a client certificate and key pair for the root user:
-
Upload the client certificate and key to the Kubernetes cluster as a secret:
-
Create the certificate and key pair for your CockroachDB nodes:
This example assumes that you followed our , which uses
my-release as the release name. If you used a different value, be sure to adjust the release name in this command.-
Upload the node certificate and key to the Kubernetes cluster as a secret:
-
Check that the secrets were created on the cluster:
-
Specify the following in the custom values file you created when , using the generated secret names:
-
Apply the custom values to override the default Helm chart values:
Rotate security certificates
You may need to rotate the node, client, or CA certificates in the following scenarios:- The node, client, or CA certificates are expiring soon.
- Your organization’s compliance policy requires periodic certificate rotation.
- The key (for a node, client, or CA) is compromised.
- You need to modify the contents of a certificate, for example, to add another DNS name or the IP address of a load balancer through which a node can be reached. In this case, you would need to rotate only the node certificates.
Example: Rotate certificates signed with cockroach cert
If you previously authenticated with cockroach cert, follow these steps to rotate the certificates using the same CA:
-
Create a new client certificate and key pair for the root user, overwriting the previous certificate and key:
-
Upload the new client certificate and key to the Kubernetes cluster as a new secret, renaming them to the filenames required by the Public operator:
-
Create a new certificate and key pair for your CockroachDB nodes, overwriting the previous certificate and key. Specify the namespace you used when . This example uses the Public operator’s default namespace (
cockroach-operator-system): -
Upload the new node certificate and key to the Kubernetes cluster as a new secret, renaming them to the filenames required by the Public operator:
-
Add
nodeTLSSecretandclientTLSSecretto the Public operator’s , specifying the new secret names: -
Check that the secrets were created on the cluster:
Remember that
nodeTLSSecretandclientTLSSecretin the Public operator’s must specify these secret names. For details, see Use a custom CA. -
Apply the new settings to the cluster:
The pods will terminate and restart one at a time, using the new certificates.
-
You can observe this process:
-
Delete the existing client secret that is no longer in use:
-
Delete the existing node secret that is no longer in use:
cockroach cert, follow these steps to ensure the certificates are rotated:
-
Upload the CA certificate that you previously created to the Kubernetes cluster as a secret:
-
Specify the following in the custom values file you created when , using the generated secret name:
selfSigner.enabled and selfSigner.rotateCerts are true by default in the Helm chart values.-
Customize the following
selfSignerfields to set the frequency of certificate rotation. These should correspond to the durations of the CA, client, and node certificates.
caCertDuration,clientCertDuration, andnodeCertDurationspecify the duration in hours of the CA, client, and node certificates, respectively.caCertExpiryWindow,clientCertExpiryWindow, andnodeCertExpiryWindowspecify the timeframe in hours during which the CA, client, and node certificates, respectively, should be rotated before they expire.minimumCertDurationspecifies the minimum duration in hours for all certificates. This is to ensure that the client and node certificates are rotated within the duration of the CA certificate. This value must be less than:-
cacertExpiryWindow -
The difference of
clientCertDurationandclientExpiryWindow -
The difference of
nodeCertDurationandnodeCertExpiryWindowCertificate duration is configured when running . You can check the expiration dates of thecockroach certcertificates by running:For each certificate, the output includes its certificate file and expiration, the key file for node and client certificates, a Notes column with additional details, and an Errors column that is empty unless there is an error.
-
-
Apply the custom values to override the default Helm chart values:
The certificates will be rotated during the specified expiry windows.
Deploy cert-manager for mTLS
Cockroach Labs recommends using cert-manager to sign certificates for cluster authentication. cert-manager manages certificates and certificate issuers as resource types in Kubernetes clusters, to simplify the process of obtaining, renewing and using those certificates.
Previously, the Helm chart used a self-signer for cluster authentication. This approach is no longer recommended.
-
Install a supported version of
cert-manger. For a new cluster, Cockroach Labs recommends using the latest supported version. Refer to installed you will find itcert-managerInstallation in thecert-managerproject’s documentation. -
Create a file named
issuer.yamlthat configures anIssuer, which represents a certificate authority that can sign certificates. This example creates an issuer that can sign self-signed CA certificates. To customize your issuer, refer to Issuer Configuration in thecert-managerproject’s documentation. -
Use
kubectl applyto create the issuer from the YAML file: -
Enable and configure
cert-managerin the Helm chart’svalues.yamlfile. The following options are required. For more options, refer tocert-managerin the CockroachDB Helm chart documentation.
- To disable signing self-signed certificates, set
tls.certs.selfSigner.enabledtofalse. - Set
tls.certs.certManagerIssuer.kindto eitherIssuerorClusterIssuer. To get started,Issueris recommended.ClusterIssueris cluster-scoped; when referencing a secret via thesecretNamefield, only secrets in thecluster-resourcenamespace (cert-managerby default) are searched. To learn more, refer to Cluster Resource Namespace in thecert-managerproject’s documentation. - Set
certManagerIssuer.nameto the name of the issuer you created in the previous step.
-
Apply the updated Helm chart:
Replace
values.yamlwith the name of your Helm chart’s values file.
Secure the webhooks
The Public operator ships with both mutating and validating webhooks. Communication between the Kubernetes API server and the webhook service must be secured with TLS. By default, the Public operator searches for the TLS secretcockroach-operator-webhook-ca, which contains a CA certificate. If the secret is not found, the Public operator auto-generates cockroach-operator-webhook-ca with a CA certificate for future runs.
The Public operator then generates a one-time server certificate for the webhook server that is signed with cockroach-operator-webhook-ca. Finally, the CA bundle for both mutating and validating webhook configurations is patched with the CA certificate.
You can also use your own certificate authority rather than cockroach-operator-webhook-ca. Both the certificate and key files you generate must be PEM-encoded. See the following example.
Example: Using OpenSSL to secure the webhooks
These steps demonstrate how to use theopenssl genrsa and openssl req subcommands to secure the webhooks on a running Kubernetes cluster:
-
Generate a 4096-bit RSA private key:
-
Generate an X.509 certificate, valid for 10 years. You will be prompted for the certificate field values.
-
Create the secret, making sure that :
-
Remove the certificate and key from your local environment:
-
Roll the Public operator deployment to ensure a new server certificate is generated:

