Outdated Version

You are viewing an older version of this section. View current production version.

Configure TLS/SSL/WebSocket

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the memsql-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters.

Info

TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable
  enableWebSockets: true

Valid values for the fields in secureConnectionSpec are:

sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

tls.crt: The base64-encoded server certificate
tls.key: The base64-encoded server private key
tls.ca: The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

For example:

apiVersion: v1
kind: Secret
metadata:
   name: ssl-secret
type: Opaque
data:
  tls.ca:  ...WdNQWtOQk1SWXdGQ...
  tls.crt: ...U5wYzJOdk1ROHdEU...
  tls.key: ...HaVBOTytQaEh2QSt...

clientServerConnection: enable, ‘’ (empty).
- Alternatively, leave this field out.
- When set to enable, the server permits, but does not require, secure connection between client and server.
- Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.
intraClusterConnection: enable, ‘’ (empty).
- Alternatively, leave this field out.
- When set to enable, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.
- When set to true, clientServerConnection will be treated as true regardless of its value.
- Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.
enableWebSockets: true, false.
- WebSocket support can be enabled (true) or disabled (false).
- When set to true, either clientServerConnection or intraClusterConnection must be set to enable.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional userSpec section defines whether a secure connection is enforced for the admin user (the database user created by the Operator).

usersSpec:
  adminRequireSsl: true  # true to enable, false to disable

Omit the adminRequireSsl field to preserve the current adminRequireSsl settings in the MemSQL/SingleStore DB engine.

Refer to SSL Secure Connections for more information.

Was this Article Helpful?

Questions?

Ask the Community, find solutions in the Troubleshooting Overview, get Self-Paced Training or learn more about our Support Plans.

Configure TLS/SSL/WebSocket

Questions?

Sorry About That