Migrate Monitoring from HTTP to HTTPS

Prerequisites

Note

These instructions have been developed for SingleStore clusters that have been installed and deployed via .rpm or .deb packages as a sudo user.

If your cluster was deployed via tarball as a non-sudo user, change to the directory (cd) in which singlestoredb-toolbox was untarred and run all sdb-admin commands as ./sdb-admin.

To migrate an existing cluster monitoring instance from HTTP to HTTPS connections, the following additional requirements must be met.

Each Source and Metrics cluster must be running SingleStore 7.6.24 or later, or SingleStore 7.8.19 or later; SingleStore 8.5 or later to collect trace events.
Clusters are managed with SingleStore Toolbox 1.14.2 or later.
A server SSL certificate and a key signed with a CA certificate. This guide assumes that:
- The server SSL certificate file is named server-cert.pem.
- The server key file is named server-key.pem. Note that the server key may be protected with a passphrase.
- The CA certificate file is named ca-cert.pem.
- Refer to Generating SSL Certificates for an example of generating these certificates.

SingleStore Toolbox is recommended for managing the clusters as automation during setup is provided through sdb-admin commands. While monitoring can be enabled through a series of SQL commands, the preferred method is to use SingleStore Toolbox.

Migrate Cluster Hosts to HTTPS

Note

Repeat the following steps for each Source cluster. The same or new certificates may be used.

Stop the exporter on the Source cluster.
Shell
```
sdb-admin configure-monitoring --stop-exporter
```

Drop the monitoring pipelines for the Metrics cluster on the Master Aggregator.

SQL

DROP PIPELINE <metrics-database>.<metrics-pipeline-name>;
DROP PIPELINE <metrics-database>.<blobs-pipeline-name>;

Copy the server certificate and key to the Master Aggregator host of the Source cluster. This certificate will be used by the exporter process and must be readable by the user under which the nodes are running on the host (typically the memsql user).
Copy the CA certificate to the same file path on each host of the Metrics cluster.

Alternatively, a directory containing multiple CA certificates can be provided, and this path must be the same on all hosts.

This directory will be used by the monitoring pipelines and must be readable by the user under which the nodes are running on the host (typically the memsql user).
On the Source cluster, run the following command to start the exporter.

Note: If starting the exporter as a database user other than root, substitute the database user for root in the --exporter-user option and this user’s password for <secure-password> in the --exporter-password option.
Shell
```
sdb-admin configure-monitoring \
  --exporter-user root \
  --exporter-password <secure-password> \
  --exporter-use-https \
  --exporter-ssl-cert=/path/to/server-cert.pem \
  --exporter-ssl-key=/path/to/server-key.pem \
  --exporter-ssl-passphrase=<passphrase>
```
Note: The --exporter-ssl-passphrase option should only be included if the server key has a passphrase.

Refer to configure-monitoring for additional options, including --exporter-user and --exporter-password.

On the Metrics cluster, resume monitoring.

Note: If starting the monitoring process as a database user other than root, substitute the database user for root in the --user option and this user’s password for <secure-password> in the --password option.

Shell

sdb-admin start-monitoring \
  --database-name metrics \
  --collect-event-traces \
  --exporter-host <exporter-hostname-or-IP-address> \
  --user root \
  --password <secure-password> \
  --retention-period 10 \
  --ssl-ca /path/to/ca-cert.pem      --or--
  --ssl-capath /ca-directory/including/path

Refer to start-monitoring for additional options.