Sign inTry Free

Configure TLS/SSL/WebSocket

On this page

Enable SSL via secureConnectionSpec

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the sdb-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters.

Note

TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable
  enableWebSockets: true

Valid values for the fields in secureConnectionSpec are:

  • sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

  • tls.crt: The base64-encoded server certificate

  • tls.key: The base64-encoded server private key

  • tls.ca: The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

    For example:

    apiVersion: v1
    kind: Secret
    metadata:
       name: ssl-secret
    type: Opaque
    data:
      tls.ca:  ...WdNQWtOQk1SWXdGQ...
      tls.crt: ...U5wYzJOdk1ROHdEU...
      tls.key: ...HaVBOTytQaEh2QSt...

  • clientServerConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, the server permits, but does not require, secure connection between client and server.

    • Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.

  • intraClusterConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.

    • When set to enable, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.

    • When set to true, clientServerConnection will be treated as true regardless of its value.

    • Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.

  • enableWebSockets: true, false.

    • WebSocket support can be enabled (true) or disabled (false).

    • When set to true, either clientServerConnection or intraClusterConnection must be set to enable.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional userSpec section defines whether a secure connection is enforced for the admin user (the database user created by the Operator).

usersSpec:
  adminRequireSsl: true  # true to enable, false to disable

Omit the adminRequireSsl field to preserve the current adminRequireSsl settings in the SingleStore engine.

Refer to SSL Secure Connections for more information.

Enable SSL via kubectl

Alternatively, you may enable SSL by using kubectl to create the associated Secret.

kubectl create secret generic ssl-secret \
  --from-file=tls.crt=<path_to_server-cert.pem> \
  --from-file=tls.key=<path_to_server-key.pem> \
  --from-file=tls.ca=<path_to_ca-cert.pem>

Confirm that these values were applied to the cluster.

  1. Exec into the Master Aggregator (MA) pod.

    kubectl exec node-<cluster-name>-master-0 -c node

  2. Confirm that the following entries are present in the /var/lib/memsql/instance/memsql.cnf file.

    ssl_ca = /etc/memsql/ssl/ca-cert.pem
ssl_cert = /etc/memsql/ssl/server-cert.pem
ssl_key = /etc/memsql/ssl/server-key.pem

Refer to SSL Secure Connections for more information.

Last modified: May 25, 2023

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK