Skip to content

Configure SSL/TLS for Okera Metadata Storage

Okera provides configurable SSL and TLS support for your Okera metadata storage in a MySQL or Postgres database. Specifically, it provides configurable:

  • SSL and TLS support for MySQL databases
  • SSL support for Postgres databases.

Okera can determine which protocol (SSL or TLS) to use based on the certificates provided.

Notes: This only impacts Okera's MySQL and Postgres metadata storage and does not establish SSL/TLS configurable support throughout the Okera cluster. For information on cluster SSL support, see Configure SSL for the Cluster.

Okera only supports TLS for MySQL catalogs at this time. It does not support Cloud SQL Auth proxy functionality.

Configuration Steps

To configure SSL/TLS support for the Okera metadata storage:

  1. Create or gather the required certificates for the MySQL or Postgres database used for Okera's metadata storage. If you have them, use the same certificates you configured for the MySQL and Postgres databases.

    For SSL support, you will need the certificate for the MySQL or Postgres database server.

    For TLS support, you will need the following certificates for the MySQL database:

    • Server
    • Client
    • Private key for the client certificate

  2. Encode the certificates in base64. You can do this using the following bash command:

    cat /path/to/<certificate>.pem | base64 -W0

    Substitute the name of certificate pem file you are encoding for <certificate>.

  3. Specify the base64-encoded certicates in the Okera configuration file using the following configuration parameters:

    Parameter TLS or SSL Description
    CATALOG_DB_SSL both Set this parameter to "true" to enable configurable SSL or TLS support for the Okera metadata storage. The default value is "false".
    CATALOG_DB_SERVER_CERT both Specify the SSL/TLS certificate for the MySQL or Postgres database server.
    CATALOG_DB_CLIENT_CERT TLS If you are using mutual, or two-way authentication, specify the TLS certificate for the MySQL database client. This parameter is only needed for TLS support.
    CATALOG_DB_CLIENT_CERT_KEY TLS If you are using mutual, or two-way authentication, specify the private key for the MySQL client TLS certificate. This parameter is only needed for TLS support.

TLS Configuration Example

CATALOG_DB_CLIENT_CERT: <copy/pasted base64 value of client-cert.pem>
CATALOG_DB_CLIENT_CERT_KEY: <copy/pasted base64 value of client-cert-key.pem>
CATALOG_DB_SERVER_CERT: <copy/pasted base64 value of server-cert.pem>
CATALOG_DB_SSL: "true"

SSL Configuration Example

CATALOG_DB_SERVER_CERT: <copy/pasted base64 value of server-cert.pem>
CATALOG_DB_SSL: "true"

Troubleshooting

If problems arise, verify whether CUSTOM_CERT_0 is pointing to an incorrect value in the active configmap kubectl edit cm. If it is, change it to point to /etc/secrets/CATALOG_DB_SERVER_CA.