# Configure TLS/SSL/WebSocket

## Enable SSL via secureConnectionSpec

Users may declare a `secureConnectionSpec` section to enable secure connections. This is an optional section that can be added to the `sdb-cluster.yaml` file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters. To create an SSL secret, refer to [Create SSL Secret](https://docs.singlestore.com/#section-idm4598469860468833700577753369.md).

> **📝 Note**: TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

```yaml
secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable
  enableWebSockets: true

```

Valid values for the fields in `secureConnectionSpec` are:

* `sslSecretName`: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The `data` section of the secret must have the following key/value pairs:

* `tls.crt`: The base64-encoded server certificate
* `tls.key`: The base64-encoded server private key
* `tls.ca`: The base64-encoded Certificate Authority (CA) certificate. Only required when `intraClusterConnection` is set to `enable`.

  For example:
  ```yaml
  apiVersion: v1
  kind: Secret
  metadata:
     name: ssl-secret
  type: Opaque
  data:
    tls.ca:  ...WdNQWtOQk1SWXdGQ...
    tls.crt: ...U5wYzJOdk1ROHdEU...
    tls.key: ...HaVBOTytQaEh2QSt...

  ```

* `clientServerConnection`: `enable`, `‘’` (empty).

  * Alternatively, leave this field out.
  * When set to `enable`, the server permits, but does not require, secure connection between client and server.
  * Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.
* `intraClusterConnection`: `enable`, `‘’` (empty).

  * Alternatively, leave this field out.
  * When set to `enable`, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.
  * When set to `true`, `clientServerConnection` will be treated as `true` regardless of its value.
  * Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.
* `enableWebSockets`: `true`, `false`.

  * WebSocket support can be enabled (`true`) or disabled (`false`).
  * When set to `true`, either `clientServerConnection` or `intraClusterConnection` must be set to `enable`.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional `userSpec` section defines whether a secure connection is enforced for the `admin` user (the database user created by the Operator).

```yaml
usersSpec:
  adminRequireSsl: true  # true to enable, false to disable

```

Omit the `adminRequireSsl` field to preserve the current `adminRequireSsl` settings in the SingleStore engine.

Refer to [SSL Secure Connections](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections.md) for more information.

## Create SSL Secret

Before enabling SSL using `secureConnectionSpec`, create a Kubernetes Secret that contains your certificates:

```shell
kubectl create secret generic ssl-secret \
  --from-file=tls.crt=<path_to_server-cert.pem> \
  --from-file=tls.key=<path_to_server-key.pem> \
  --from-file=tls.ca=<path_to_ca-cert.pem>
```

After creating the secret, enable SSL by adding the secureConnectionSpec section to your cluster configuration.

## SSL Certificate Rotation

## Method 1: Online Rotation (Recommended)

1. Modify the existing Kubernetes Secret directly:
   ```bash
   kubectl edit secret ssl-secret
   ```

2. Update the base64-encoded values for the following keys in the data section:

   * `tls.crt`
   * `tls.key`
   * `tls.ca`

3. Save the Secret. The SSL certificates will automatically reload without requiring a node restart.

4. Verify that the new certificates have been loaded successfully:
   ```bash
   kubectl exec node-<cluster-name>-master-0 -c node -- \
     openssl s_client -connect localhost:3306 -showcerts

   ```

## Method 2: Offline Rotation

> **📝 Note**: This procedure triggers a rolling restart. If SSL is configured for intra-cluster communication (`intraClusterConnection: enable`), you must use [Method 1: Online Rotation](https://docs.singlestore.com/#section-id235569592925516.md). Improper rotation using the offline method may cause the cluster to become unavailable when only a subset of nodes has been updated with new certificates.

1. Create a new Secret containing the updated certificates:
   ```bash

   kubectl create secret generic ssl-secret-new \
     --from-file=tls.crt=<path_to_new_cert.pem> \
     --from-file=tls.key=<path_to_new_key.pem> \
     --from-file=tls.ca=<path_to_new_ca.pem>

   ```

2. Update the `secureConnectionSpec` in your cluster configuration to reference the new Secret:
   ```bash

   secureConnectionSpec:
     sslSecretName: ssl-secret-new
     clientServerConnection: enable
     intraClusterConnection: enable

   ```

3. Apply the updated specification:
   ```bash
   kubectl apply -f sdb-cluster.yaml

   ```

4. The Operator will initiate a rolling restart of all cluster nodes.

***

Modified at: May 11, 2026

Source: [/db/v9.1/reference/singlestore-operator-reference/configure-tls-ssl-websocket/](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/configure-tls-ssl-websocket/)

(An index of the documentation is available at /llms.txt)