Sign inTry Free

Configure TLS/SSL/WebSocket

On this page

Enable SSL via secureConnectionSpec

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the sdb-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters. To create an SSL secret, refer to Create SSL Secret.

Note

TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable
  enableWebSockets: true

Valid values for the fields in secureConnectionSpec are:

  • sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

  • tls.crt: The base64-encoded server certificate

  • tls.key: The base64-encoded server private key

  • tls.ca: The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

    For example:

    apiVersion: v1
    kind: Secret
    metadata:
       name: ssl-secret
    type: Opaque
    data:
      tls.ca:  ...WdNQWtOQk1SWXdGQ...
      tls.crt: ...U5wYzJOdk1ROHdEU...
      tls.key: ...HaVBOTytQaEh2QSt...

  • clientServerConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, the server permits, but does not require, secure connection between client and server.

    • Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.

  • intraClusterConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.

    • When set to true, clientServerConnection will be treated as true regardless of its value.

    • Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.

  • enableWebSockets: true, false.

    • WebSocket support can be enabled (true) or disabled (false).

    • When set to true, either clientServerConnection or intraClusterConnection must be set to enable.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional userSpec section defines whether a secure connection is enforced for the admin user (the database user created by the Operator).

usersSpec:
  adminRequireSsl: true  # true to enable, false to disable

Omit the adminRequireSsl field to preserve the current adminRequireSsl settings in the SingleStore engine.

Refer to SSL Secure Connections for more information.

Create SSL Secret

Before enabling SSL using secureConnectionSpec, create a Kubernetes Secret that contains your certificates:

kubectl create secret generic ssl-secret \
  --from-file=tls.crt=<path_to_server-cert.pem> \
  --from-file=tls.key=<path_to_server-key.pem> \
  --from-file=tls.ca=<path_to_ca-cert.pem>

After creating the secret, enable SSL by adding the secureConnectionSpec section to your cluster configuration.

SSL Certificate Rotation

Method 1: Online Rotation (Recommended)

  1. Modify the existing Kubernetes Secret directly:

    kubectl edit secret ssl-secret

  2. Update the base64-encoded values for the following keys in the data section:

    • tls.crt

    • tls.key

    • tls.ca

  3. Save the Secret. The SSL certificates will automatically reload without requiring a node restart.

  4. Verify that the new certificates have been loaded successfully:

    kubectl exec node-<cluster-name>-master-0 -c node -- \
      openssl s_client -connect localhost:3306 -showcerts

Method 2: Offline Rotation

Note

This procedure triggers a rolling restart. If SSL is configured for intra-cluster communication (intraClusterConnection: enable), you must use Method 1: Online Rotation. Improper rotation using the offline method may cause the cluster to become unavailable when only a subset of nodes has been updated with new certificates.

  1. Create a new Secret containing the updated certificates:

    kubectl create secret generic ssl-secret-new \
      --from-file=tls.crt=<path_to_new_cert.pem> \
      --from-file=tls.key=<path_to_new_key.pem> \
      --from-file=tls.ca=<path_to_new_ca.pem>

  2. Update the secureConnectionSpec in your cluster configuration to reference the new Secret:

    secureConnectionSpec:
      sslSecretName: ssl-secret-new
      clientServerConnection: enable
      intraClusterConnection: enable

  3. Apply the updated specification:

    kubectl apply -f sdb-cluster.yaml

  4. The Operator will initiate a rolling restart of all cluster nodes.

Last modified:

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In