Sign inTry Free

Migrate Monitoring from HTTP to HTTPS

On this page

Create an SSL Secret

Create a Secret containing SSL certificates that will be used for HTTPS connections. The Secret must be named <cluster-name>-additional-secrets to be automatically mounted to each pod of the cluster.

Option 1: Use kubectl

Use kubectl to create the Secret.

kubectl create secret generic <cluster-name>-additional-secrets \
  --from-file=ssl-crt=<path_to_server-cert.pem> \
  --from-file=ssl-key=<path_to_server-key.pem> \
  --from-file=ssl-ca=<path_to_ca-cert.pem>

Option 2: Declare an SSL Secret in a YAML File

The data section of the secret must have the following key/value pairs:

  • ssl-crt: The Base64-encoded server certificate

  • ssl-key: The Base64-encoded server private key

  • ssl-ca: The Base64-encoded Certificate Authority (CA) certificate

For example:

apiVersion: v1
kind: Secret
metadata:
   name: <cluster-name>-additional-secrets
type: Opaque
data:
  ssl-ca:  ...WdNQWtOQk1SWXdGQ...
  ssl-crt: ...U5wYzJOdk1ROHdEU...
  ssl-key: ...HaVBOTytQaEh2QSt...

Note: Replace <cluster-name> with your SingleStore cluster name.

Confirm that the Keys are Mounted to the Cluster

  1. Exec into the Master Aggregator (MA) pod.

    kubectl exec node-<cluster-name>-master-0 -c node

  2. Confirm that the following files are present in the /etc/memsql/extra-secret directory.

    ssl-crt
ssl-key
ssl-ca

Refer to SSL Secure Connections for more information.

Add the Exporter SSL Args

  1. In the sdb-operator.yaml file on the Source cluster, add the following argument to the args list in the sdb-operator section.

    "--master-exporter-parameters",
    "--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt
    --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables
    --no-cluster-collect.info_schema.tablestats
    --no-collect.info_schema.tables --no-collect.info_schema.tablestats"

    Note that this is a single master-exporter-parameters argument and the remainder is its value. When modified, the file will resemble the following.

    If the cluster is configured to use the root user with SSL, an additional --config.ssl-ca=/etc/memsql/ssl/ca-cert.pem argument must be added into the --master-exporter-parameters.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: sdb-operator
      labels:
        app.kubernetes.io/component: operator
    spec:
      replicas: 1
      selector:
        matchLabels:
          name: sdb-operator
      template:
        metadata:
          labels:
            name: sdb-operator
        spec:
          serviceAccountName: sdb-operator
          containers:
            - name: sdb-operator
              image: operator_image_tag
              imagePullPolicy: Always
              args: [
                # Cause the operator to merge rather than replace annotations on services
                "--merge-service-annotations",
                # Allow the process inside the container to have read/write access to the `/var/lib/memsql` volume.
                "--fs-group-id", "5555",
                "--cluster-id", "sdb-cluster"
                "--master-exporter-parameters",
                "--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables --no-cluster-collect.info_schema.tablestats --no-collect.info_schema.tables --no-collect.info_schema.tablestats"          ]
              env:
                - name: WATCH_NAMESPACE
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.namespace
                - name: POD_NAME
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.name
                - name: OPERATOR_NAME
                  value: "sdb-operator"

  2. Apply the changes to the cluster.

    kubectl apply -f sdb-operator.yaml

  3. Confirm that the Operator pod is running.

    kubectl get pods
    memsql-operator-758ffb66c8-5sn4l      1/1     Running

  4. Run the following command to force a restart of the memsql_exporter container on the master pod.

    kubectl exec -it node-<memsql-cluster-name>-master-0 -cexporter -- /bin/sh -c "kill 1"

Create and Apply the Start Monitoring Job

The following YAML creates a job that sets up the metrics database and the associated pipelines.

With Internet Access

  1. Modify the start-monitoring-job.yaml file so that it resembles the following. Note that:

    1. <database-user> must be replaced with the desired database user, such as the admin user

    2. <database-user-password> must be replaced with this database user’s password

    3. <exporter-hostname> must be replaced with the exporter hostname from the Configure Cluster Monitoring with the Operator step

    4. <other-options…> must be removed or replaced with the options available in sdb-admin start-monitoring-kube

    apiVersion: batch/v1
    kind: Job
    metadata:
      name: toolbox-start-monitoring
    spec:
      template:
        spec:
          serviceAccountName: tools
          containers:
          - name: toolbox-start-monitoring
            image: singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cb
            imagePullPolicy: IfNotPresent
            command: ["sdb-admin",
                      "start-monitoring-kube",
                      "--user=<database-user>",
                      "--password=<database-user-password>",
                      "--collect-event-traces",
                      "--exporter-host=<exporter-hostname>",
                      "--ssl-ca=/etc/memsql/extra-secret/ssl-ca",
                      "--yes"
    		<other options…>
                      ]
          restartPolicy: Never
      backoffLimit: 2

  2. Run the following command to apply the changes in the start-monitoring-job.yaml file.

    kubectl apply -f start-monitoring-job.yaml

Last modified: February 12, 2024

Was this article helpful?

On this page

Was this article helpful?