Configure TLS/SSL/WebSocket

Enable SSL via secureConnectionSpec

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the sdb-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters.


TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

sslSecretName: ssl-secret
clientServerConnection: enable
intraClusterConnection: enable
enableWebSockets: true

Valid values for the fields in secureConnectionSpec are:

  • sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

  • tls.crt: The base64-encoded server certificate

  • tls.key: The base64-encoded server private key

  • The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

    For example:

    apiVersion: v1
    kind: Secret
    name: ssl-secret
    type: Opaque
    data: ...WdNQWtOQk1SWXdGQ...
    tls.crt: ...U5wYzJOdk1ROHdEU...
    tls.key: ...HaVBOTytQaEh2QSt...
  • clientServerConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, the server permits, but does not require, secure connection between client and server.

    • Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.

  • intraClusterConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.

    • When set to true, clientServerConnection will be treated as true regardless of its value.

    • Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.

  • enableWebSockets: true, false.

    • WebSocket support can be enabled (true) or disabled (false).

    • When set to true, either clientServerConnection or intraClusterConnection must be set to enable.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional userSpec section defines whether a secure connection is enforced for the admin user (the database user created by the Operator).

adminRequireSsl: true # true to enable, false to disable

Omit the adminRequireSsl field to preserve the current adminRequireSsl settings in the SingleStore engine.

Refer to SSL Secure Connections for more information.

Enable SSL via kubectl

Alternatively, you may enable SSL by using kubectl to create the associated Secret.

kubectl create secret generic ssl-secret \
--from-file=tls.crt=<path_to_server-cert.pem> \
--from-file=tls.key=<path_to_server-key.pem> \<path_to_ca-cert.pem>

Confirm that these values were applied to the cluster.

  1. Exec into the Master Aggregator (MA) pod.

    kubectl exec node-<cluster-name>-master-0 -c node
  2. Confirm that the following entries are present in the /var/lib/memsql/instance/memsql.cnf file.

    ssl_ca = /etc/memsql/ssl/ca-cert.pem
    ssl_cert = /etc/memsql/ssl/server-cert.pem
    ssl_key = /etc/memsql/ssl/server-key.pem

Refer to SSL Secure Connections for more information.

Last modified: May 25, 2023

Was this article helpful?