Migrate Monitoring from HTTP to HTTPS
Warning
SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.
On this page
Create an SSL Secret
Create a Secret containing SSL certificates that will be used for HTTPS connections.<cluster-name>-additional-secrets
to be automatically mounted to each pod of the cluster.
Option 1: Use kubectl
Use kubectl
to create the Secret.
kubectl create secret generic <cluster-name>-additional-secrets \--from-file=ssl-crt=<path_to_server-cert.pem> \--from-file=ssl-key=<path_to_server-key.pem> \--from-file=ssl-ca=<path_to_ca-cert.pem>
Option 2: Declare an SSL Secret in a YAML File
The data
section of the secret must have the following key/value pairs:
-
ssl-crt
: The Base64-encoded server certificate -
ssl-key
: The Base64-encoded server private key -
ssl-ca
: The Base64-encoded Certificate Authority (CA) certificate
For example:
apiVersion: v1kind: Secretmetadata:name: <cluster-name>-additional-secretstype: Opaquedata:ssl-ca: ...WdNQWtOQk1SWXdGQ...ssl-crt: ...U5wYzJOdk1ROHdEU...ssl-key: ...HaVBOTytQaEh2QSt...
Note: Replace <cluster-name>
with your SingleStore cluster name.
Confirm that the Keys are Mounted to the Cluster
-
Exec into the Master Aggregator (MA) pod.
kubectl exec node-<cluster-name>-master-0 -c node -
Confirm that the following files are present in the
/etc/memsql/extra-secret
directory.ssl-crt ssl-key ssl-ca
Refer to SSL Secure Connections for more information.
Add the Exporter SSL Args
-
In the
sdb-operator.
file on the Source cluster, add the following argument to theyaml args
list in thesdb-operator
section."--master-exporter-parameters","--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt--config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables--no-cluster-collect.info_schema.tablestats--no-collect.info_schema.tables --no-collect.info_schema.tablestats"Note that this is a single
master-exporter-parameters
argument and the remainder is its value.When modified, the file will resemble the following. If the cluster is configured to use the
root
user with SSL, an additional--config.
argument must be added into thessl-ca=/etc/memsql/ssl/ca-cert. pem --master-exporter-parameters
.apiVersion: apps/v1kind: Deploymentmetadata:name: sdb-operatorlabels:app.kubernetes.io/component: operatorspec:replicas: 1selector:matchLabels:name: sdb-operatortemplate:metadata:labels:name: sdb-operatorspec:serviceAccountName: sdb-operatorcontainers:- name: sdb-operatorimage: operator_image_tagimagePullPolicy: Alwaysargs: [# Cause the operator to merge rather than replace annotations on services"--merge-service-annotations",# Allow the process inside the container to have read/write access to the `/var/lib/memsql` volume."--fs-group-id", "5555","--cluster-id", "sdb-cluster""--master-exporter-parameters","--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables --no-cluster-collect.info_schema.tablestats --no-collect.info_schema.tables --no-collect.info_schema.tablestats" ]env:- name: WATCH_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: OPERATOR_NAMEvalue: "sdb-operator" -
Apply the changes to the cluster.
kubectl apply -f sdb-operator.yaml -
Confirm that the Operator pod is running.
kubectl get podsmemsql-operator-758ffb66c8-5sn4l 1/1 Running
-
Run the following command to force a restart of the
memsql_
container on the master pod.exporter kubectl exec -it node-<memsql-cluster-name>-master-0 -cexporter -- /bin/sh -c "kill 1"
Create and Apply the Start Monitoring Job
The following YAML creates a job that sets up the metrics
database and the associated pipelines.
With Internet Access
-
Modify the
start-monitoring-job.
file so that it resembles the following.yaml Note that: -
<database-user>
must be replaced with the desired database user, such as the admin user -
<database-user-password>
must be replaced with this database user’s password -
<exporter-hostname>
must be replaced with the exporter hostname from the Configure Cluster Monitoring with the Operator step -
<other-options…>
must be removed or replaced with the options available in sdb-admin start-monitoring-kube
apiVersion: batch/v1kind: Jobmetadata:name: toolbox-start-monitoringspec:template:spec:serviceAccountName: toolscontainers:- name: toolbox-start-monitoringimage: singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cbimagePullPolicy: IfNotPresentcommand: ["sdb-admin","start-monitoring-kube","--user=<database-user>","--password=<database-user-password>","--collect-event-traces","--exporter-host=<exporter-hostname>","--ssl-ca=/etc/memsql/extra-secret/ssl-ca","--yes"<other options…>]restartPolicy: NeverbackoffLimit: 2 -
-
Run the following command to apply the changes in the
start-monitoring-job.
file.yaml kubectl apply -f start-monitoring-job.yaml
Last modified: February 12, 2024