Skip to main content

SingleStoreDB v7.6

Configure TLS/SSL/WebSocket

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the sdb-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters.

Notice

TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable
  enableWebSockets: true

Valid values for the fields in secureConnectionSpec are:

  • sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

  • tls.crt: The base64-encoded server certificate

  • tls.key: The base64-encoded server private key

  • tls.ca: The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

For example:

apiVersion: v1
kind: Secret
metadata:
   name: ssl-secret
type: Opaque
data:
  tls.ca:  ...WdNQWtOQk1SWXdGQ...
  tls.crt: ...U5wYzJOdk1ROHdEU...
  tls.key: ...HaVBOTytQaEh2QSt...

  • clientServerConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, the server permits, but does not require, secure connection between client and server.

    • Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.

  • intraClusterConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.

    • When set to true, clientServerConnection will be treated as true regardless of its value.

    • Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.

  • enableWebSockets: true, false.

    • WebSocket support can be enabled (true) or disabled (false).

    • When set to true, either clientServerConnection or intraClusterConnection must be set to enable.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional userSpec section defines whether a secure connection is enforced for the admin user (the database user created by the Operator).

usersSpec:
  adminRequireSsl: true  # true to enable, false to disable

Omit the adminRequireSsl field to preserve the current adminRequireSsl settings in the SingleStoreDB engine.

Refer to SSL Secure Connections for more information.

In this section: