Outdated Version

You are viewing an older version of this section. View current production version.

Configure TLS/SSL/WebSocket

Users may declare a secureConnectionSpec section to enable secure connections. This is an optional section that can be added to the memsql-cluster.yaml file to enable client-server and/or intra-cluster secure connections, or, in the case of DR, secure connections between primary and secondary clusters.

Info

TLS/SSL downgrades are not supported. WebSocket can be enabled or disabled.

secureConnectionSpec:
  sslSecretName: ssl-secret
  clientServerConnection: enable
  intraClusterConnection: enable
  enableWebSockets: true

Valid values for the fields in secureConnectionSpec are:

  • sslSecretName: The name of the Kubernetes Secret that stores the certificate and the key used to secure the connection.

The data section of the secret must have the following key/value pairs:

  • tls.crt: The base64-encoded server certificate
  • tls.key: The base64-encoded server private key
  • tls.ca: The base64-encoded Certificate Authority (CA) certificate. Only required when intraClusterConnection is set to enable.

For example:

apiVersion: v1
kind: Secret
metadata:
   name: ssl-secret
type: Opaque
data:
  tls.ca:  ...WdNQWtOQk1SWXdGQ...
  tls.crt: ...U5wYzJOdk1ROHdEU...
  tls.key: ...HaVBOTytQaEh2QSt...
  • clientServerConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.
    • When set to enable, the server permits, but does not require, secure connection between client and server.
    • Supports both initial deployments and upgrades from existing deployments that are not already configured for client-server secure connections.
  • intraClusterConnection: enable, ‘’ (empty).

    • Alternatively, leave this field out.
    • When set to enable, secure connections are required between nodes inside the cluster, and, in the case of DR, between nodes across primary and secondary clusters.
    • When set to true, clientServerConnection will be treated as true regardless of its value.
    • Supports initial deployments but does not support upgrades from existing deployments that are not already configured with intra-cluster secure connections.
  • enableWebSockets: true, false.

    • WebSocket support can be enabled (true) or disabled (false).
    • When set to true, either clientServerConnection or intraClusterConnection must be set to enable.

A secure connection can be made to the server using a MySQL (or compatible) client only when a secure connection is enabled. The following optional userSpec section defines whether a secure connection is enforced for the admin user (the database user created by the Operator).

usersSpec:
  adminRequireSsl: true  # true to enable, false to disable

Omit the adminRequireSsl field to preserve the current adminRequireSsl settings in the MemSQL/SingleStore DB engine.

Refer to SSL Secure Connections for more information.