diff --git a/content/operate/kubernetes/7.22/reference/api/redis_enterprise_cluster_api.md b/content/operate/kubernetes/7.22/reference/api/redis_enterprise_cluster_api.md
index f1fb8cc87f..d52e0bef00 100644
--- a/content/operate/kubernetes/7.22/reference/api/redis_enterprise_cluster_api.md
+++ b/content/operate/kubernetes/7.22/reference/api/redis_enterprise_cluster_api.md
@@ -756,6 +756,20 @@ RS Cluster Certificates. Used to modify the certificates used by the cluster. Se
Secret name to use for cluster's CM (Cluster Manager) certificate. If left blank, a cluster-provided certificate will be used.
false |
+
+ | cpInterNodeEncryptionCertificateSecretName |
+ string |
+
+ Secret name to use for control plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.
+ |
+ false |
+
+ | dpInterNodeEncryptionCertificateSecretName |
+ string |
+
+ Secret name to use for data plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.
+ |
+ false |
| ldapClientCertificateSecretName |
string |
diff --git a/content/operate/kubernetes/7.22/security/_index.md b/content/operate/kubernetes/7.22/security/_index.md
index 15dca1ac31..21b1453957 100644
--- a/content/operate/kubernetes/7.22/security/_index.md
+++ b/content/operate/kubernetes/7.22/security/_index.md
@@ -27,7 +27,7 @@ Configure TLS certificates and encryption for secure communications:
- [Manage REC certificates]({{< relref "/operate/kubernetes/7.22/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
- [Add client certificates]({{< relref "/operate/kubernetes/7.22/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) - Enable encryption between cluster nodes
+- [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
## Resource management
diff --git a/content/operate/kubernetes/7.22/security/configuration-secrets.md b/content/operate/kubernetes/7.22/security/configuration-secrets.md
index 5922b10abf..e89a64b900 100644
--- a/content/operate/kubernetes/7.22/security/configuration-secrets.md
+++ b/content/operate/kubernetes/7.22/security/configuration-secrets.md
@@ -80,6 +80,26 @@ kubectl create secret generic \
--from-literal=name=
```
+### Internode encryption certificates
+
+You can provide custom certificates for control plane and data plane internode encryption. Create separate secrets for each encryption type:
+
+```sh
+kubectl create secret generic cp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption
+```
+
+```sh
+kubectl create secret generic dp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=dp_internode_encryption
+```
+
+Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) for complete configuration details.
+
## Best practices
- Store sensitive configuration in Secrets rather than directly in YAML files.
diff --git a/content/operate/kubernetes/7.22/security/internode-encryption.md b/content/operate/kubernetes/7.22/security/internode-encryption.md
index 4e4044b2d1..65120e70ba 100644
--- a/content/operate/kubernetes/7.22/security/internode-encryption.md
+++ b/content/operate/kubernetes/7.22/security/internode-encryption.md
@@ -4,7 +4,7 @@ categories:
- docs
- operate
- kubernetes
-description: Enable encryption for communication between REC nodes in your K8s cluster.
+description: Enable encryption for communication between REC nodes and configure custom certificates.
linkTitle: Internode encryption
weight: 99
url: '/operate/kubernetes/7.22/security/internode-encryption/'
@@ -12,6 +12,8 @@ url: '/operate/kubernetes/7.22/security/internode-encryption/'
Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).
+## Enable internode encryption
+
Enable internode encryption in the `spec` section of your REC custom resource file.
```yaml
@@ -24,8 +26,112 @@ This change will apply to all databases created in the REC. You can override the
Edit your Redis Enterprise database (REDB) custom resource file to disable internode encryption for only that database.
```yaml
-spec:
+spec:
dataInternodeEncryption: false
```
To learn more about internode encryption, see [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}).
+
+## Use custom certificates for internode encryption
+
+By default, Redis Enterprise uses self-signed certificates for internode encryption. You can provide your own certificates for both control plane and data plane internode encryption by storing them in Kubernetes secrets and referencing them in your REC specification.
+
+### Prerequisites
+
+- Internode encryption must be enabled (`dataInternodeEncryption: true`)
+- Certificates must be in PEM format
+- You must create the Kubernetes secrets before referencing them in the REC spec
+- Certificates should include the full certificate chain if using a certificate authority
+
+### Create secrets for internode encryption certificates
+
+Create Kubernetes secrets to store your internode encryption certificates. You need separate secrets for control plane and data plane encryption.
+
+1. Create a secret for control plane internode encryption:
+
+ ```sh
+ kubectl create secret generic cp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption
+ ```
+
+2. Create a secret for data plane internode encryption:
+
+ ```sh
+ kubectl create secret generic dp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=dp_internode_encryption
+ ```
+
+### Configure certificates in REC spec
+
+Add the certificate secret names to the `certificates` section of your REC specification:
+
+```yaml
+spec:
+ dataInternodeEncryption: true
+ certificates:
+ cpInterNodeEncryptionCertificateSecretName: cp-internode-cert
+ dpInterNodeEncryptionCertificateSecretName: dp-internode-cert
+```
+
+You can configure one or both certificate types. If you don't specify a certificate secret name, the cluster uses a self-signed certificate for that encryption type.
+
+Apply the updated REC specification:
+
+```sh
+kubectl apply -f .yaml
+```
+
+### Certificate rotation
+
+You can rotate internode encryption certificates using either of these methods:
+
+#### Method 1: Update the existing secret
+
+Edit the certificate data in the existing Kubernetes secret. The operator automatically detects the change and applies the new certificate.
+
+```sh
+kubectl create secret generic cp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption \
+ --dry-run=client -o yaml | kubectl apply -f -
+```
+
+#### Method 2: Create a new secret and update the REC spec
+
+1. Create a new secret with the updated certificate:
+
+ ```sh
+ kubectl create secret generic cp-internode-cert-new \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption
+ ```
+
+2. Update the REC specification to reference the new secret:
+
+ ```yaml
+ spec:
+ certificates:
+ cpInterNodeEncryptionCertificateSecretName: cp-internode-cert-new
+ ```
+
+3. Apply the updated REC specification:
+
+ ```sh
+ kubectl apply -f .yaml
+ ```
+
+### Certificate lifecycle
+
+When you remove a certificate secret reference from the REC specification, the operator does not delete the certificate from the Redis Enterprise cluster. The cluster continues to use the previously configured certificate until you explicitly replace it or the cluster reverts to using a self-signed certificate.
+
+## More info
+
+- [Manage REC certificates]({{< relref "/operate/kubernetes/7.22/security/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
+- [Configuration secrets]({{< relref "/operate/kubernetes/7.22/security/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
+- [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}) - Detailed information about how internode encryption works
diff --git a/content/operate/kubernetes/7.22/security/manage-rec-certificates.md b/content/operate/kubernetes/7.22/security/manage-rec-certificates.md
index 8fecc00876..ce35dc3182 100644
--- a/content/operate/kubernetes/7.22/security/manage-rec-certificates.md
+++ b/content/operate/kubernetes/7.22/security/manage-rec-certificates.md
@@ -24,9 +24,11 @@ Create the [secret](https://kubernetes.io/docs/tasks/configmap-secret/managing-s
kubectl create secret generic \
--from-file=certificate= \
--from-file=key= \
- --from-literal=name=
+ --from-literal=name=
```
+{{}}For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/7.22/security/internode-encryption" >}}) for detailed configuration instructions.{{}}
+
## Update certificates in the REC custom resource
Edit the Redis Enterprise cluster (REC) custom resource to add a `certificates` subsection under the `spec` section. You are only required to add the fields for the certificates you are installing.
@@ -39,6 +41,8 @@ spec:
syncerCertificateSecretName:
metricsExporterCertificateSecretName:
proxyCertificateSecretName:
+ cpInterNodeEncryptionCertificateSecretName:
+ dpInterNodeEncryptionCertificateSecretName:
```
### Update certificates through the API
diff --git a/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md b/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md
index 882c6c4cf7..f53e61115e 100644
--- a/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md
+++ b/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md
@@ -754,6 +754,20 @@ RS Cluster Certificates. Used to modify the certificates used by the cluster. Se
Secret name to use for cluster's CM (Cluster Manager) certificate. If left blank, a cluster-provided certificate will be used.
false |
+
+ | cpInterNodeEncryptionCertificateSecretName |
+ string |
+
+ Secret name to use for control plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.
+ |
+ false |
+
+ | dpInterNodeEncryptionCertificateSecretName |
+ string |
+
+ Secret name to use for data plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.
+ |
+ false |
| ldapClientCertificateSecretName |
string |
diff --git a/content/operate/kubernetes/security/_index.md b/content/operate/kubernetes/security/_index.md
index 58462bf151..6a1f526de7 100644
--- a/content/operate/kubernetes/security/_index.md
+++ b/content/operate/kubernetes/security/_index.md
@@ -26,7 +26,7 @@ Configure TLS certificates and encryption for secure communications:
- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes
+- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
## Resource management
diff --git a/content/operate/kubernetes/security/configuration-secrets.md b/content/operate/kubernetes/security/configuration-secrets.md
index 327b1e4f69..b7b8fd5940 100644
--- a/content/operate/kubernetes/security/configuration-secrets.md
+++ b/content/operate/kubernetes/security/configuration-secrets.md
@@ -79,6 +79,26 @@ kubectl create secret generic \
--from-literal=name=
```
+### Internode encryption certificates
+
+You can provide custom certificates for control plane and data plane internode encryption. Create separate secrets for each encryption type:
+
+```sh
+kubectl create secret generic cp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption
+```
+
+```sh
+kubectl create secret generic dp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=dp_internode_encryption
+```
+
+Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for complete configuration details.
+
## Best practices
- Store sensitive configuration in Secrets rather than directly in YAML files.
diff --git a/content/operate/kubernetes/security/internode-encryption.md b/content/operate/kubernetes/security/internode-encryption.md
index 445345e3bc..f69853d8f2 100644
--- a/content/operate/kubernetes/security/internode-encryption.md
+++ b/content/operate/kubernetes/security/internode-encryption.md
@@ -4,13 +4,15 @@ categories:
- docs
- operate
- kubernetes
-description: Enable encryption for communication between REC nodes in your K8s cluster.
+description: Enable encryption for communication between REC nodes and configure custom certificates.
linkTitle: Internode encryption
weight: 99
---
Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).
+## Enable internode encryption
+
Enable internode encryption in the `spec` section of your REC custom resource file.
```yaml
@@ -23,8 +25,112 @@ This change will apply to all databases created in the REC. You can override the
Edit your Redis Enterprise database (REDB) custom resource file to disable internode encryption for only that database.
```yaml
-spec:
+spec:
dataInternodeEncryption: false
```
To learn more about internode encryption, see [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}).
+
+## Use custom certificates for internode encryption
+
+By default, Redis Enterprise uses self-signed certificates for internode encryption. You can provide your own certificates for both control plane and data plane internode encryption by storing them in Kubernetes secrets and referencing them in your REC specification.
+
+### Prerequisites
+
+- Internode encryption must be enabled (`dataInternodeEncryption: true`)
+- Certificates must be in PEM format
+- You must create the Kubernetes secrets before referencing them in the REC spec
+- Certificates should include the full certificate chain if using a certificate authority
+
+### Create secrets for internode encryption certificates
+
+Create Kubernetes secrets to store your internode encryption certificates. You need separate secrets for control plane and data plane encryption.
+
+1. Create a secret for control plane internode encryption:
+
+ ```sh
+ kubectl create secret generic cp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption
+ ```
+
+2. Create a secret for data plane internode encryption:
+
+ ```sh
+ kubectl create secret generic dp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=dp_internode_encryption
+ ```
+
+### Configure certificates in REC spec
+
+Add the certificate secret names to the `certificates` section of your REC specification:
+
+```yaml
+spec:
+ dataInternodeEncryption: true
+ certificates:
+ cpInterNodeEncryptionCertificateSecretName: cp-internode-cert
+ dpInterNodeEncryptionCertificateSecretName: dp-internode-cert
+```
+
+You can configure one or both certificate types. If you don't specify a certificate secret name, the cluster uses a self-signed certificate for that encryption type.
+
+Apply the updated REC specification:
+
+```sh
+kubectl apply -f .yaml
+```
+
+### Certificate rotation
+
+You can rotate internode encryption certificates using either of these methods:
+
+#### Method 1: Update the existing secret
+
+Edit the certificate data in the existing Kubernetes secret. The operator automatically detects the change and applies the new certificate.
+
+```sh
+kubectl create secret generic cp-internode-cert \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption \
+ --dry-run=client -o yaml | kubectl apply -f -
+```
+
+#### Method 2: Create a new secret and update the REC spec
+
+1. Create a new secret with the updated certificate:
+
+ ```sh
+ kubectl create secret generic cp-internode-cert-new \
+ --from-file=certificate= \
+ --from-file=key= \
+ --from-literal=name=cp_internode_encryption
+ ```
+
+2. Update the REC specification to reference the new secret:
+
+ ```yaml
+ spec:
+ certificates:
+ cpInterNodeEncryptionCertificateSecretName: cp-internode-cert-new
+ ```
+
+3. Apply the updated REC specification:
+
+ ```sh
+ kubectl apply -f .yaml
+ ```
+
+### Certificate lifecycle
+
+When you remove a certificate secret reference from the REC specification, the operator does not delete the certificate from the Redis Enterprise cluster. The cluster continues to use the previously configured certificate until you explicitly replace it or the cluster reverts to using a self-signed certificate.
+
+## More info
+
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
+- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
+- [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}) - Detailed information about how internode encryption works
diff --git a/content/operate/kubernetes/security/manage-rec-certificates.md b/content/operate/kubernetes/security/manage-rec-certificates.md
index 767683bda4..d46b309c20 100644
--- a/content/operate/kubernetes/security/manage-rec-certificates.md
+++ b/content/operate/kubernetes/security/manage-rec-certificates.md
@@ -23,9 +23,11 @@ Create the [secret](https://kubernetes.io/docs/tasks/configmap-secret/managing-s
kubectl create secret generic \
--from-file=certificate= \
--from-file=key= \
- --from-literal=name=
+ --from-literal=name=
```
+{{}}For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for detailed configuration instructions.{{}}
+
## Update certificates in the REC custom resource
Edit the Redis Enterprise cluster (REC) custom resource to add a `certificates` subsection under the `spec` section. You are only required to add the fields for the certificates you are installing.
@@ -38,6 +40,8 @@ spec:
syncerCertificateSecretName:
metricsExporterCertificateSecretName:
proxyCertificateSecretName:
+ cpInterNodeEncryptionCertificateSecretName:
+ dpInterNodeEncryptionCertificateSecretName:
```
### Update certificates through the API