Join the SingleStore Community Today
Get expert advice, develop skills, and connect with others.

Configure TLS / SSL

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the memsql-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters.

Info

Downgrades are not supported.

secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable

Valid values for the fields in secureConnectionSpec are:

  • sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

  • tls.crt: The base64-encoded server certificate
  • tls.key: The base64-encoded server private key
  • tls.ca: The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

For example:

apiVersion: v1
kind: Secret
metadata:
   name: ssl-secret
type: Opaque
data:
  tls.ca:  ...WdNQWtOQk1SWXdGQ...
  tls.crt: ...U5wYzJOdk1ROHdEU...
  tls.key: ...HaVBOTytQaEh2QSt...
  • clientServerConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.
    • When set to enable, the server permits, but does not require, secure connection between client and server.
    • Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.
  • intraClusterConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.
    • When set to true, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.
    • When set to true, clientServerConnection will be treated as true regardless of its value.
    • Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.

Refer to SSL Secure Connections for more information.