K8s: Zeppelin maint 1 - INE cert changes

content/operate/kubernetes/7.22/reference/api/redis_enterprise_cluster_api.md

@@ -756,6 +756,20 @@ RS Cluster Certificates. Used to modify the certificates used by the cluster. Se
           Secret name to use for cluster's CM (Cluster Manager) certificate. If left blank, a cluster-provided certificate will be used.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td>cpInterNodeEncryptionCertificateSecretName</td>
+        <td>string</td>
+        <td>
+          Secret name to use for control plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td>dpInterNodeEncryptionCertificateSecretName</td>
+        <td>string</td>
+        <td>
+          Secret name to use for data plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td>ldapClientCertificateSecretName</td>
         <td>string</td>

content/operate/kubernetes/7.22/security/_index.md

@@ -27,7 +27,7 @@ Configure TLS certificates and encryption for secure communications:
 
 - [Manage REC certificates]({{< relref "/operate/kubernetes/7.22/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
 - [Add client certificates]({{< relref "/operate/kubernetes/7.22/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) - Enable encryption between cluster nodes
+- [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
 
 ## Resource management
 

content/operate/kubernetes/7.22/security/configuration-secrets.md

@@ -80,6 +80,26 @@ kubectl create secret generic <secret-name> \
   --from-literal=name=<proxy | api | cm | syncer | metrics_exporter>
 ```
 
+### Internode encryption certificates
+
+You can provide custom certificates for control plane and data plane internode encryption. Create separate secrets for each encryption type:
+
+```sh
+kubectl create secret generic cp-internode-cert \
+  --from-file=certificate=</path/to/cp-certificate.pem> \
+  --from-file=key=</path/to/cp-key.pem> \
+  --from-literal=name=cp_internode_encryption
+```
+
+```sh
+kubectl create secret generic dp-internode-cert \
+  --from-file=certificate=</path/to/dp-certificate.pem> \
+  --from-file=key=</path/to/dp-key.pem> \
+  --from-literal=name=dp_internode_encryption
+```
+
+Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) for complete configuration details.
+
 ## Best practices
 
 - Store sensitive configuration in Secrets rather than directly in YAML files.

content/operate/kubernetes/7.22/security/internode-encryption.md

@@ -4,14 +4,16 @@ categories:
 - docs
 - operate
 - kubernetes
-description: Enable encryption for communication between REC nodes in your K8s cluster.
+description: Enable encryption for communication between REC nodes and configure custom certificates.
 linkTitle: Internode encryption
 weight: 99
 url: '/operate/kubernetes/7.22/security/internode-encryption/'
 ---
 
 Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).
 
+## Enable internode encryption
+
 Enable internode encryption in the `spec` section of your REC custom resource file.
 
 ```yaml
@@ -24,8 +26,112 @@ This change will apply to all databases created in the REC. You can override the
 Edit your Redis Enterprise database (REDB) custom resource file to disable internode encryption for only that database.
 
 ```yaml
-spec: 
+spec:
     dataInternodeEncryption: false
 ```
 
 To learn more about internode encryption, see [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}).
+
+## Use custom certificates for internode encryption
+
+By default, Redis Enterprise uses self-signed certificates for internode encryption. You can provide your own certificates for both control plane and data plane internode encryption by storing them in Kubernetes secrets and referencing them in your REC specification.
+
+### Prerequisites
+
+- Internode encryption must be enabled (`dataInternodeEncryption: true`)
+- Certificates must be in PEM format
+- You must create the Kubernetes secrets before referencing them in the REC spec
+- Certificates should include the full certificate chain if using a certificate authority
+
+### Create secrets for internode encryption certificates
+
+Create Kubernetes secrets to store your internode encryption certificates. You need separate secrets for control plane and data plane encryption.
+
+1. Create a secret for control plane internode encryption:
+
+    ```sh
+    kubectl create secret generic cp-internode-cert \
+      --from-file=certificate=</path/to/cp-certificate.pem> \
+      --from-file=key=</path/to/cp-key.pem> \
+      --from-literal=name=cp_internode_encryption
+    ```
+
+2. Create a secret for data plane internode encryption:
+
+    ```sh
+    kubectl create secret generic dp-internode-cert \
+      --from-file=certificate=</path/to/dp-certificate.pem> \
+      --from-file=key=</path/to/dp-key.pem> \
+      --from-literal=name=dp_internode_encryption
+    ```
+
+### Configure certificates in REC spec
+
+Add the certificate secret names to the `certificates` section of your REC specification:
+
+```yaml
+spec:
+  dataInternodeEncryption: true
+  certificates:
+    cpInterNodeEncryptionCertificateSecretName: cp-internode-cert
+    dpInterNodeEncryptionCertificateSecretName: dp-internode-cert
+```
+
+You can configure one or both certificate types. If you don't specify a certificate secret name, the cluster uses a self-signed certificate for that encryption type.
+
+Apply the updated REC specification:
+
+```sh
+kubectl apply -f <rec-file>.yaml
+```
+
+### Certificate rotation
+
+You can rotate internode encryption certificates using either of these methods:
+
+#### Method 1: Update the existing secret
+
+Edit the certificate data in the existing Kubernetes secret. The operator automatically detects the change and applies the new certificate.
+
+```sh
+kubectl create secret generic cp-internode-cert \
+  --from-file=certificate=</path/to/new-cp-certificate.pem> \
+  --from-file=key=</path/to/new-cp-key.pem> \
+  --from-literal=name=cp_internode_encryption \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+#### Method 2: Create a new secret and update the REC spec
+
+1. Create a new secret with the updated certificate:
+
+    ```sh
+    kubectl create secret generic cp-internode-cert-new \
+      --from-file=certificate=</path/to/new-cp-certificate.pem> \
+      --from-file=key=</path/to/new-cp-key.pem> \
+      --from-literal=name=cp_internode_encryption
+    ```
+
+2. Update the REC specification to reference the new secret:
+
+    ```yaml
+    spec:
+      certificates:
+        cpInterNodeEncryptionCertificateSecretName: cp-internode-cert-new
+    ```
+
+3. Apply the updated REC specification:
+
+    ```sh
+    kubectl apply -f <rec-file>.yaml
+    ```
+
+### Certificate lifecycle
+
+When you remove a certificate secret reference from the REC specification, the operator does not delete the certificate from the Redis Enterprise cluster. The cluster continues to use the previously configured certificate until you explicitly replace it or the cluster reverts to using a self-signed certificate.
+
+## More info
+
+- [Manage REC certificates]({{< relref "/operate/kubernetes/7.22/security/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
+- [Configuration secrets]({{< relref "/operate/kubernetes/7.22/security/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
+- [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}) - Detailed information about how internode encryption works

content/operate/kubernetes/7.22/security/manage-rec-certificates.md

@@ -24,9 +24,11 @@ Create the [secret](https://kubernetes.io/docs/tasks/configmap-secret/managing-s
   kubectl create secret generic <secret-name> \
     --from-file=certificate=</PATH/TO/certificate.pem> \
     --from-file=key=</PATH/TO/key.pem> \
-    --from-literal=name=<proxy | api | cm | syncer | metrics_exporter>
+    --from-literal=name=<proxy | api | cm | syncer | metrics_exporter | cp_internode_encryption | dp_internode_encryption>
   ```
 
+{{<note>}}For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) for detailed configuration instructions.{{</note>}}
+
 ## Update certificates in the REC custom resource
 
 Edit the Redis Enterprise cluster (REC) custom resource to add a `certificates` subsection under the `spec` section. You are only required to add the fields for the certificates you are installing.
@@ -39,6 +41,8 @@ spec:
     syncerCertificateSecretName: <syncercert-secret-name>
     metricsExporterCertificateSecretName: <metricscert-secret-name>
     proxyCertificateSecretName: <proxycert-secret-name>
+    cpInterNodeEncryptionCertificateSecretName: <cpine-secret-name>
+    dpInterNodeEncryptionCertificateSecretName: <dpine-secret-name>
 ```
 
 ### Update certificates through the API

content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md

@@ -754,6 +754,20 @@ RS Cluster Certificates. Used to modify the certificates used by the cluster. Se
           Secret name to use for cluster's CM (Cluster Manager) certificate. If left blank, a cluster-provided certificate will be used.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td>cpInterNodeEncryptionCertificateSecretName</td>
+        <td>string</td>
+        <td>
+          Secret name to use for control plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td>dpInterNodeEncryptionCertificateSecretName</td>
+        <td>string</td>
+        <td>
+          Secret name to use for data plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td>ldapClientCertificateSecretName</td>
         <td>string</td>

content/operate/kubernetes/security/_index.md

@@ -26,7 +26,7 @@ Configure TLS certificates and encryption for secure communications:
 
 - [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
 - [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes
+- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
 
 ## Resource management
 

content/operate/kubernetes/security/configuration-secrets.md

@@ -79,6 +79,26 @@ kubectl create secret generic <secret-name> \
   --from-literal=name=<proxy | api | cm | syncer | metrics_exporter>
 ```
 
+### Internode encryption certificates
+
+You can provide custom certificates for control plane and data plane internode encryption. Create separate secrets for each encryption type:
+
+```sh
+kubectl create secret generic cp-internode-cert \
+  --from-file=certificate=</path/to/cp-certificate.pem> \
+  --from-file=key=</path/to/cp-key.pem> \
+  --from-literal=name=cp_internode_encryption
+```
+
+```sh
+kubectl create secret generic dp-internode-cert \
+  --from-file=certificate=</path/to/dp-certificate.pem> \
+  --from-file=key=</path/to/dp-key.pem> \
+  --from-literal=name=dp_internode_encryption
+```
+
+Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for complete configuration details.
+
 ## Best practices
 
 - Store sensitive configuration in Secrets rather than directly in YAML files.

content/operate/kubernetes/security/internode-encryption.md

@@ -4,13 +4,15 @@ categories:
 - docs
 - operate
 - kubernetes
-description: Enable encryption for communication between REC nodes in your K8s cluster.
+description: Enable encryption for communication between REC nodes and configure custom certificates.
 linkTitle: Internode encryption
 weight: 99
 ---
 
 Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).
 
+## Enable internode encryption
+
 Enable internode encryption in the `spec` section of your REC custom resource file.
 
 ```yaml
@@ -23,8 +25,112 @@ This change will apply to all databases created in the REC. You can override the
 Edit your Redis Enterprise database (REDB) custom resource file to disable internode encryption for only that database.
 
 ```yaml
-spec: 
+spec:
     dataInternodeEncryption: false
 ```
 
 To learn more about internode encryption, see [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}).
+
+## Use custom certificates for internode encryption
+
+By default, Redis Enterprise uses self-signed certificates for internode encryption. You can provide your own certificates for both control plane and data plane internode encryption by storing them in Kubernetes secrets and referencing them in your REC specification.
+
+### Prerequisites
+
+- Internode encryption must be enabled (`dataInternodeEncryption: true`)
+- Certificates must be in PEM format
+- You must create the Kubernetes secrets before referencing them in the REC spec
+- Certificates should include the full certificate chain if using a certificate authority
+
+### Create secrets for internode encryption certificates
+
+Create Kubernetes secrets to store your internode encryption certificates. You need separate secrets for control plane and data plane encryption.
+
+1. Create a secret for control plane internode encryption:
+
+    ```sh
+    kubectl create secret generic cp-internode-cert \
+      --from-file=certificate=</path/to/cp-certificate.pem> \
+      --from-file=key=</path/to/cp-key.pem> \
+      --from-literal=name=cp_internode_encryption
+    ```
+
+2. Create a secret for data plane internode encryption:
+
+    ```sh
+    kubectl create secret generic dp-internode-cert \
+      --from-file=certificate=</path/to/dp-certificate.pem> \
+      --from-file=key=</path/to/dp-key.pem> \
+      --from-literal=name=dp_internode_encryption
+    ```
+
+### Configure certificates in REC spec
+
+Add the certificate secret names to the `certificates` section of your REC specification:
+
+```yaml
+spec:
+  dataInternodeEncryption: true
+  certificates:
+    cpInterNodeEncryptionCertificateSecretName: cp-internode-cert
+    dpInterNodeEncryptionCertificateSecretName: dp-internode-cert
+```
+
+You can configure one or both certificate types. If you don't specify a certificate secret name, the cluster uses a self-signed certificate for that encryption type.
+
+Apply the updated REC specification:
+
+```sh
+kubectl apply -f <rec-file>.yaml
+```
+
+### Certificate rotation
+
+You can rotate internode encryption certificates using either of these methods:
+
+#### Method 1: Update the existing secret
+
+Edit the certificate data in the existing Kubernetes secret. The operator automatically detects the change and applies the new certificate.
+
+```sh
+kubectl create secret generic cp-internode-cert \
+  --from-file=certificate=</path/to/new-cp-certificate.pem> \
+  --from-file=key=</path/to/new-cp-key.pem> \
+  --from-literal=name=cp_internode_encryption \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+#### Method 2: Create a new secret and update the REC spec
+
+1. Create a new secret with the updated certificate:
+
+    ```sh
+    kubectl create secret generic cp-internode-cert-new \
+      --from-file=certificate=</path/to/new-cp-certificate.pem> \
+      --from-file=key=</path/to/new-cp-key.pem> \
+      --from-literal=name=cp_internode_encryption
+    ```
+
+2. Update the REC specification to reference the new secret:
+
+    ```yaml
+    spec:
+      certificates:
+        cpInterNodeEncryptionCertificateSecretName: cp-internode-cert-new
+    ```
+
+3. Apply the updated REC specification:
+
+    ```sh
+    kubectl apply -f <rec-file>.yaml
+    ```
+
+### Certificate lifecycle
+
+When you remove a certificate secret reference from the REC specification, the operator does not delete the certificate from the Redis Enterprise cluster. The cluster continues to use the previously configured certificate until you explicitly replace it or the cluster reverts to using a self-signed certificate.
+
+## More info
+
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
+- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
+- [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}) - Detailed information about how internode encryption works