Sign inTry Free

Migrate Monitoring from HTTP to HTTPS

On this page

Create an SSL Secret

Create a Secret containing SSL certificates that will be used for HTTPS connections. The Secret must be named <cluster-name>-additional-secrets to be automatically mounted to each pod of the cluster.

Option 1: Use kubectl

Use kubectl to create the Secret.

kubectl create secret generic <cluster-name>-additional-secrets \
  --from-file=ssl-crt=<path_to_server-cert.pem> \
  --from-file=ssl-key=<path_to_server-key.pem> \
  --from-file=ssl-ca=<path_to_ca-cert.pem>

Option 2: Declare an SSL Secret in a YAML File

The data section of the secret must have the following key/value pairs:

  • ssl-crt: The Base64-encoded server certificate

  • ssl-key: The Base64-encoded server private key

  • ssl-ca: The Base64-encoded Certificate Authority (CA) certificate

For example:

apiVersion: v1
kind: Secret
metadata:
   name: <cluster-name>-additional-secrets
type: Opaque
data:
  ssl-ca:  ...WdNQWtOQk1SWXdGQ...
  ssl-crt: ...U5wYzJOdk1ROHdEU...
  ssl-key: ...HaVBOTytQaEh2QSt...

Note: Replace <cluster-name> with your SingleStore cluster name.

Confirm that the Keys are Mounted to the Cluster

  1. Exec into the Master Aggregator (MA) pod.

    kubectl exec node-<cluster-name>-master-0 -c node

  2. Confirm that the following files are present in the /etc/memsql/extra-secret directory.

    ssl-crt
ssl-key
ssl-ca

Refer to SSL Secure Connections for more information.

Add the Exporter SSL Args

  1. In the sdb-operator.yaml file on the Source cluster, add the following argument to the args list in the sdb-operator section.

    "--master-exporter-parameters",
    "--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt
    --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables
    --no-cluster-collect.info_schema.tablestats
    --no-collect.info_schema.tables --no-collect.info_schema.tablestats"

    Note that this is a single master-exporter-parameters argument and the remainder is its value. When modified, the file will resemble the following.

    If the cluster is configured to use the root user with SSL, an additional --config.ssl-ca=/etc/memsql/ssl/ca-cert.pem argument must be added into the --master-exporter-parameters.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: sdb-operator
      labels:
        app.kubernetes.io/component: operator
    spec:
      replicas: 1
      selector:
        matchLabels:
          name: sdb-operator
      template:
        metadata:
          labels:
            name: sdb-operator
        spec:
          serviceAccountName: sdb-operator
          containers:
            - name: sdb-operator
              image: operator_image_tag
              imagePullPolicy: Always
              args: [
                # Cause the operator to merge rather than replace annotations on services
                "--merge-service-annotations",
                # Allow the process inside the container to have read/write access to the `/var/lib/memsql` volume.
                "--fs-group-id", "5555",
                "--cluster-id", "sdb-cluster"
                "--master-exporter-parameters",
                "--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables --no-cluster-collect.info_schema.tablestats --no-collect.info_schema.tables --no-collect.info_schema.tablestats"          ]
              env:
                - name: WATCH_NAMESPACE
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.namespace
                - name: POD_NAME
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.name
                - name: OPERATOR_NAME
                  value: "sdb-operator"

  2. Apply the changes to the cluster.

    kubectl apply -f sdb-operator.yaml

  3. Confirm that the Operator pod is running.

    kubectl get pods
    memsql-operator-758ffb66c8-5sn4l      1/1     Running

  4. Run the following command to force a restart of the memsql_exporter container on the master pod.

    kubectl exec -it node-<memsql-cluster-name>-master-0 -cexporter -- /bin/sh -c "kill 1"

Create and Apply the Start Monitoring Job

The following YAML creates a job that sets up the metrics database and the associated pipelines.

With Internet Access

  1. Modify the start-monitoring-job.yaml file so that it resembles the following. Note that:

    1. <database-user> must be replaced with the desired database user, such as the admin user

    2. <database-user-password> must be replaced with this database user’s password

    3. <exporter-hostname> must be replaced with the exporter hostname from the Configure Cluster Monitoring with the Operator step

    4. <other-options…> must be removed or replaced with the options available in sdb-admin start-monitoring-kube

    apiVersion: batch/v1
    kind: Job
    metadata:
      name: toolbox-start-monitoring
    spec:
      template:
        spec:
          serviceAccountName: tools
          containers:
          - name: toolbox-start-monitoring
            image: singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cb
            imagePullPolicy: IfNotPresent
            command: ["sdb-admin",
                      "start-monitoring-kube",
                      "--user=<database-user>",
                      "--password=<database-user-password>",
                      "--exporter-host=<exporter-hostname>",
                      "--ssl-ca=/etc/memsql/extra-secret/ssl-ca",
                      "--yes"
    		<other options…>
                      ]
          restartPolicy: Never
      backoffLimit: 2

  2. Run the following command to apply the changes in the start-monitoring-job.yaml file.

    kubectl apply -f start-monitoring-job.yaml

Last modified: February 12, 2024

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK