# Migrate Monitoring from HTTP to HTTPS ## Create an SSL Secret Create a Secret containing SSL certificates that will be used for HTTPS connections. The Secret must be named `-additional-secrets` to be automatically mounted to each pod of the cluster. ## Option 1: Use kubectl Use `kubectl` to create the Secret. ```shell kubectl create secret generic -additional-secrets \ --from-file=ssl-crt= \ --from-file=ssl-key= \ --from-file=ssl-ca= ``` ## Option 2: Declare an SSL Secret in a YAML File The `data` section of the secret must have the following key/value pairs: * `ssl-crt`: The Base64-encoded server certificate * `ssl-key`: The Base64-encoded server private key * `ssl-ca`: The Base64-encoded Certificate Authority (CA) certificate For example: ```yaml apiVersion: v1 kind: Secret metadata: name: -additional-secrets type: Opaque data: ssl-ca: ...WdNQWtOQk1SWXdGQ... ssl-crt: ...U5wYzJOdk1ROHdEU... ssl-key: ...HaVBOTytQaEh2QSt... ``` **Note**: Replace `` with your SingleStore cluster name. ## Confirm that the Keys are Mounted to the Cluster 1. Exec into the Master Aggregator (MA) pod. ```shell kubectl exec node--master-0 -c node ``` 2. Confirm that the following files are present in the `/etc/memsql/extra-secret` directory. ``` ssl-crt ssl-key ssl-ca ``` Refer to [SSL Secure Connections](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections.md) for more information. ## Add the Exporter SSL Args 1. In the `sdb-operator.yaml` file on the Source cluster, add the following argument to the `args` list in the `sdb-operator` section. ```yaml "--master-exporter-parameters", "--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables --no-cluster-collect.info_schema.tablestats --no-collect.info_schema.tables --no-collect.info_schema.tablestats" ``` Note that this is a single `master-exporter-parameters` argument and the remainder is its value. When modified, the file will resemble the following. If the cluster is configured to use the `root` user with SSL, an additional `--config.ssl-ca=/etc/memsql/ssl/ca-cert.pem` argument must be added into the `--master-exporter-parameters`. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: sdb-operator labels: app.kubernetes.io/component: operator spec: replicas: 1 selector: matchLabels: name: sdb-operator template: metadata: labels: name: sdb-operator spec: serviceAccountName: sdb-operator containers: - name: sdb-operator image: operator_image_tag imagePullPolicy: Always args: [ # Cause the operator to merge rather than replace annotations on services "--merge-service-annotations", # Allow the process inside the container to have read/write access to the `/var/lib/memsql` volume. "--fs-group-id", "5555", "--cluster-id", "sdb-cluster" "--master-exporter-parameters", "--config.ssl-cert=/etc/memsql/extra-secret/ssl-crt --config.ssl-key=/etc/memsql/extra-secret/ssl-key --config.use-https --config.user=root --no-cluster-collect.info_schema.tables --no-cluster-collect.info_schema.tablestats --no-collect.info_schema.tables --no-collect.info_schema.tablestats" ] env: - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME value: "sdb-operator" ``` 2. Apply the changes to the cluster. ```shell kubectl apply -f sdb-operator.yaml ``` 3. Confirm that the Operator pod is running. ```shell kubectl get pods ``` ```output memsql-operator-758ffb66c8-5sn4l 1/1 Running ``` 4. Run the following command to force a restart of the `memsql_exporter` container on the master pod. ```shell kubectl exec -it node--master-0 -cexporter -- /bin/sh -c "kill 1" ``` ## Create and Apply the Start Monitoring Job The following YAML creates a job that sets up the `metrics` database and the associated pipelines. ## With Internet Access 1. Modify the `start-monitoring-job.yaml` file so that it resembles the following. Note that: 1. `` must be replaced with the desired database user, such as the admin user 2. `` must be replaced with this database user’s password 3. `` must be replaced with the exporter hostname from the [Configure Cluster Monitoring with the Operator](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/monitor-your-kubernetes-cluster/configure-cluster-monitoring-with-the-operator/#section-idm4566299833192033586931698618.md) step 4. `` must be removed or replaced with the options available in [sdb-admin start-monitoring-kube](https://docs.singlestore.com/db/v9.1/reference/singlestore-tools-reference/sdb-admin-commands/start-monitoring-kube.md) ```yaml apiVersion: batch/v1 kind: Job metadata: name: toolbox-start-monitoring spec: template: spec: serviceAccountName: tools containers: - name: toolbox-start-monitoring image: singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cb imagePullPolicy: IfNotPresent command: ["sdb-admin", "start-monitoring-kube", "--user=", "--password=", "--collect-event-traces", "--exporter-host=",                   "--ssl-ca=/etc/memsql/extra-secret/ssl-ca", "--yes" ] restartPolicy: Never backoffLimit: 2 ``` 2. Run the following command to apply the changes in the `start-monitoring-job.yaml` file. ```shell kubectl apply -f start-monitoring-job.yaml ``` * *Without Internet Access* The following steps are only required for those deployment environments that cannot access the internet and therefore require the use of a local registry.1) Run the following command to pull the SingleStore Tools image from Docker Hub. ```shell docker pull singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cb ``` 2) Push this image to a container image registry that is accessible by your deployment. ```shell docker push /singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cb ``` 3) Modify the `start-monitoring-job.yaml` file so that it resembles the following. Note that: 1. `` must be replaced with the desired database user, such as the admin user 2. `` must be replaced with this database user’s password 3. `` must be replaced with the exporter hostname from the [Configure Cluster Monitoring with the Operator](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/monitor-your-kubernetes-cluster/configure-cluster-monitoring-with-the-operator/#section-idm4566299833192033586931698618.md) step 4. `` must be removed or replaced with the options available in [sdb-admin start-monitoring-kube](https://docs.singlestore.com/db/v9.1/reference/singlestore-tools-reference/sdb-admin-commands/start-monitoring-kube.md) ```yaml apiVersion: batch/v1 kind: Job metadata: name: toolbox-start-monitoring spec: template: spec: serviceAccountName: tools containers: - name: toolbox-start-monitoring image: singlestore/tools:alma-v1.11.6-1.17.2-cc87b449d97fd7cde78fdc4621c2aec45cc9a6cb # Update this line imagePullPolicy: IfNotPresent command: ["sdb-admin", "start-monitoring-kube", "--user=", "--password=", "--collect-event-traces", "--exporter-host=",                   "--ssl-ca=/etc/memsql/extra-secret/ssl-ca", "--yes" ] restartPolicy: Never backoffLimit: 2 ``` 4) Run the following command to apply the changes in the `start-monitoring-job.yaml` file. ```shell kubectl apply -f start-monitoring-job.yaml ``` *** Modified at: February 12, 2024 Source: [/db/v9.1/reference/singlestore-operator-reference/monitor-your-kubernetes-cluster/migrate-monitoring-from-http-to-https/](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/monitor-your-kubernetes-cluster/migrate-monitoring-from-http-to-https/) (An index of the documentation is available at /llms.txt)