Migrate Monitoring from HTTP to HTTPS
On this page
Prerequisites
Note
These instructions have been developed for SingleStore clusters that have been installed and deployed via .
or .
packages as a sudo
user.
If your cluster was deployed via tarball as a non-sudo
user, change to the directory (cd
) in which singlestoredb-toolbox
was untarred and run all sdb-admin
commands as .
.
To migrate an existing cluster monitoring instance from HTTP to HTTPS connections, the following additional requirements must be met.
-
Each Source and Metrics cluster must be running SingleStore 7.
6. 24 or later, or SingleStore 7. 8. 19 or later. -
Clusters are managed with SingleStore Toolbox 1.
14. 2 or later. -
A server SSL certificate and a key signed with a CA certificate.
This guide assumes that: -
The server SSL certificate file is named
server-cert.
.pem -
The server key file is named
server-key.
.pem Note that the server key may be protected with a passphrase. -
The CA certificate file is named
ca-cert.
.pem -
Refer to Generating SSL Certificates for an example of generating these certificates.
-
SingleStore Toolbox is recommended for managing the clusters as automation during setup is provided through sdb-admin
commands.
Migrate Cluster Hosts to HTTPS
-
Stop the exporter on the Source cluster.
sdb-admin configure-monitoring --stop-exporter -
Drop the monitoring pipelines for the Metrics cluster on the Master Aggregator.
DROP PIPELINE <metrics-database>.<metrics-pipeline-name>;DROP PIPELINE <metrics-database>.<blobs-pipeline-name>; -
Copy the server certificate and key to the Master Aggregator host of the Source cluster.
This certificate will be used by the exporter process and must be readable by the user under which the nodes are running on the host (typically the memsql
user). -
Copy the CA certificate to the same file path on each host of the Metrics cluster.
Alternatively, a directory containing multiple CA certificates can be provided, and this path must be the same on all hosts.
This directory will be used by the monitoring pipelines and must be readable by the user under which the nodes are running on the host (typically the
memsql
user). -
On the Source cluster, run the following command to start the exporter.
Note: If starting the exporter as a database user other than
root
, substitute the database user forroot
in the--exporter-user
option and this user’s password for<secure-password>
in the--exporter-password
option.sdb-admin configure-monitoring \--exporter-user root \--exporter-password <secure-password> \--exporter-use-https \--exporter-ssl-cert=/path/to/server-cert.pem \--exporter-ssl-key=/path/to/server-key.pem \--exporter-ssl-passphrase=<passphrase>Note: The
--exporter-ssl-passphrase
option should only be included if the server key has a passphrase.Refer to configure-monitoring for additional options, including
--exporter-user
and--exporter-password
. -
On the Metrics cluster, resume monitoring.
Note: If starting the monitoring process as a database user other than
root
, substitute the database user forroot
in the--user
option and this user’s password for<secure-password>
in the--password
option.sdb-admin start-monitoring \--database-name metrics \--exporter-host <exporter-hostname-or-IP-address> \--user root \--password <secure-password> \--retention-period 10 \--ssl-ca /path/to/ca-cert.pem --or----ssl-capath /ca-directory/including/pathRefer to start-monitoring for additional options.
Note
Repeat the following steps for each Source cluster.
Last modified: September 13, 2024