New to KubeDB? Please start here.
Configure TLS/SSL in SingleStore
KubeDB
supports providing TLS/SSL encryption (via, tls
mode) for SingleStore
. This tutorial will show you how to use KubeDB
to deploy a SingleStore
database with TLS/SSL configuration.
Before You Begin
At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.
Install
cert-manger
v1.0.0 or later to your cluster to manage your SSL/TLS certificates.Install
KubeDB
in your cluster following the steps here.To keep things isolated, this tutorial uses a separate namespace called
demo
throughout this tutorial.$ kubectl create ns demo namespace/demo created
Note: YAML files used in this tutorial are stored in docs/guides/singlestore/tls/configure/examples folder in GitHub repository kubedb/docs.
Deploy SingleStore database with TLS/SSL configuration
As pre-requisite, at first, we are going to create an Issuer/ClusterIssuer. This Issuer/ClusterIssuer is used to create certificates. Then we are going to deploy a SingleStore standalone and cluster that will be configured with these certificates by KubeDB
operator.
Create SingleStore License Secret
We need SingleStore License to create SingleStore Database. So, Ensure that you have acquired a license and then simply pass the license by secret.
$ kubectl create secret generic -n demo license-secret \
--from-literal=username=license \
--from-literal=password='your-license-set-here'
secret/license-secret created
Create Issuer/ClusterIssuer
Now, we are going to create an example Issuer
that will be used throughout the duration of this tutorial. Alternatively, you can follow this cert-manager tutorial to create your own Issuer
. By following the below steps, we are going to create our desired issuer,
- Start off by generating our ca-certificates using openssl,
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=memsql/O=kubedb"
Generating a RSA private key
...........................................................................+++++
........................................................................................................+++++
writing new private key to './ca.key'
- create a secret using the certificate files we have just generated,
kubectl create secret tls sdb-ca \
--cert=ca.crt \
--key=ca.key \
--namespace=demo
secret/sdb-ca created
Now, we are going to create an Issuer
using the sdb-ca
secret that hols the ca-certificate we have just created. Below is the YAML of the Issuer
cr that we are going to create,
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: sdb-issuer
namespace: demo
spec:
ca:
secretName: sdb-ca
Let’s create the Issuer
cr we have shown above,
kubectl apply -f https://github.com/kubedb/docs/raw/v2024.9.30/docs/guides/singlestore/tls/configure/examples/issuer.yaml
issuer.cert-manager.io/sdb-issuer created
Deploy SingleStore Cluster with TLS/SSL configuration
Here, our issuer sdb-issuer
is ready to deploy a SingleStore
cluster with TLS/SSL configuration. Below is the YAML for SingleStore Cluster that we are going to create,
apiVersion: kubedb.com/v1alpha2
kind: Singlestore
metadata:
name: sdb-tls
namespace: demo
spec:
version: "8.7.10"
topology:
aggregator:
replicas: 2
podTemplate:
spec:
containers:
- name: singlestore
resources:
limits:
memory: "2Gi"
cpu: "700m"
requests:
memory: "2Gi"
cpu: "700m"
storage:
storageClassName: "standard"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
leaf:
replicas: 1
podTemplate:
spec:
containers:
- name: singlestore
resources:
limits:
memory: "2Gi"
cpu: "700m"
requests:
memory: "2Gi"
cpu: "700m"
storage:
storageClassName: "standard"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
licenseSecret:
name: license-secret
deletionPolicy: WipeOut
tls:
issuerRef:
apiGroup: cert-manager.io
kind: Issuer
name: sdb-issuer
certificates:
- alias: server
subject:
organizations:
- kubedb:server
dnsNames:
- localhost
ipAddresses:
- "127.0.0.1"
Here,
spec.tls.issuerRef
refers to thesdb-issuer
issuer.spec.tls.certificates
gives you a lot of options to configure so that the certificate will be renewed and kept up to date. You can found more details from here
Let’s create the SingleStore
cr we have shown above,
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2024.9.30/docs/guides/singlestore/tls/configure/examples/tls-cluster.yaml
singlestore.kubedb.com/sdb-tls created
Wait for the database to be ready:
Now, wait for SingleStore
going on Running
state and also wait for PetSet
and its pod to be created and going to Running
state,
$ kubectl get sdb,petset -n demo
NAME TYPE VERSION STATUS AGE
singlestore.kubedb.com/sdb-tls kubedb.com/v1alpha2 8.7.10 Ready 3m57s
NAME AGE
petset.apps.k8s.appscode.com/sdb-tls-aggregator 3m53s
petset.apps.k8s.appscode.com/sdb-tls-leaf 3m50s
Verify tls-secrets created successfully:
If everything goes well, you can see that our tls-secrets will be created which contains server, client, exporter certificate. Server tls-secret will be used for server configuration and client tls-secret will be used for a secure connection.
All tls-secret are created by KubeDB
Ops Manager. Default tls-secret name formed as {singlestore-object-name}-{cert-alias}-cert.
Let’s check the tls-secrets have created,
$ kubectl get secret -n demo | grep sdb-tls
sdb-tls-client-cert kubernetes.io/tls 3 5m41s
sdb-tls-root-cred kubernetes.io/basic-auth 2 5m41s
sdb-tls-server-cert kubernetes.io/tls
Verify SingleStore configured with TLS/SSL:
Now, we are going to connect to the database for verifying the SingleStore
server has configured with TLS/SSL encryption.
Let’s exec into the pod to verify TLS/SSL configuration,
$ kubectl exec -it -n demo sdb-tls-aggregator-0 -- bash
Defaulted container "singlestore" out of: singlestore, singlestore-coordinator, singlestore-init (init)
[memsql@sdb-tls-aggregator-0 /]$ ls etc/memsql/certs
ca.crt client.crt client.key server.crt server.key
[memsql@sdb-tls-aggregator-0 /]$ memsql -uroot -p$ROOT_PASSWORD
singlestore-client: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 237
Server version: 5.7.32 SingleStoreDB source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
singlestore> show variables like '%ssl%';
+---------------------------------+------------------------------+
| Variable_name | Value |
+---------------------------------+------------------------------+
| default_user_require_ssl | OFF |
| exporter_ssl_ca | |
| exporter_ssl_capath | |
| exporter_ssl_cert | |
| exporter_ssl_key | |
| exporter_ssl_key_passphrase | [redacted] |
| have_openssl | ON |
| have_ssl | ON |
| jwks_ssl_ca_certificate | |
| node_replication_ssl_only | OFF |
| openssl_version | 805306480 |
| processlist_rpc_json_max_size | 2048 |
| ssl_ca | /etc/memsql/certs/ca.crt |
| ssl_capath | |
| ssl_cert | /etc/memsql/certs/server.crt |
| ssl_cipher | |
| ssl_fips_mode | OFF |
| ssl_key | /etc/memsql/certs/server.key |
| ssl_key_passphrase | [redacted] |
| ssl_last_reload_attempt_time | |
| ssl_last_successful_reload_time | |
+---------------------------------+------------------------------+
21 rows in set (0.00 sec)
singlestore> exit
Bye
The above output shows that the SingleStore
server is configured to TLS/SSL. You can also see that the .crt
and .key
files are stored in /etc/mysql/certs/
directory for client and server respectively.
Verify secure connection for SSL required user:
Now, you can create an SSL required user that will be used to connect to the database with a secure connection.
Let’s connect to the database server with a secure connection,
$ kubectl exec -it -n demo sdb-tls-aggregator-0 -- bash
Defaulted container "singlestore" out of: singlestore, singlestore-coordinator, singlestore-init (init)
[memsql@sdb-tls-aggregator-0 /]$ memsql -uroot -p$ROOT_PASSWORD
singlestore-client: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 316
Server version: 5.7.32 SingleStoreDB source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
singlestore> CREATE USER 'new_user'@'localhost' IDENTIFIED BY '1234' REQUIRE SSL;
Query OK, 0 rows affected (0.05 sec)
singlestore> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
singlestore> exit
Bye
# accessing the database server newly created user with certificates
[memsql@sdb-tls-aggregator-0 /]$ memsql -unew_user -p1234 --ssl-ca=/etc/memsql/certs/ca.crt --ssl-cert=/etc/memsql/certs/server.crt --ssl-key=/etc/memsql/certs/server.key
singlestore-client: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 462
Server version: 5.7.32 SingleStoreDB source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
singlestore> exit;
Bye
From the above output, you can see that only using client certificate we can access the database securely, otherwise, it shows “Access denied”. Our client certificate is stored in /etc/memsql/certs/
directory.
Cleaning up
To clean up the Kubernetes resources created by this tutorial, run:
$ kubectl delete sdb demo sdb-tls
singlestore.kubedb.com "sdb-tls" deleted
$ kubectl delete ns demo
namespace "demo" deleted