Configure SSL/TLS for Okera Metadata Storage¶
Okera provides configurable SSL and TLS support for your Okera metadata storage in a MySQL or Postgres database. Specifically, it provides configurable:
- SSL and TLS support for MySQL databases
- SSL support for Postgres databases.
Okera can determine which protocol (SSL or TLS) to use based on the certificates provided.
Notes: This only impacts Okera's MySQL and Postgres metadata storage and does not establish SSL/TLS configurable support throughout the Okera cluster. For information on cluster SSL support, see Configure SSL for the Cluster.Okera only supports TLS for MySQL catalogs at this time. It does not support Cloud SQL Auth proxy functionality.
Configuration Steps¶
To configure SSL/TLS support for the Okera metadata storage:
-
Create or gather the required certificates for the MySQL or Postgres database used for Okera's metadata storage. If you have them, use the same certificates you configured for the MySQL and Postgres databases.
For SSL support, you will need the certificate for the MySQL or Postgres database server.
For TLS support, you will need the following certificates for the MySQL database:
- Server
- Client
- Private key for the client certificate
-
Encode the certificates in base64. You can do this using the following
bash
command:cat /path/to/<certificate>.pem | base64 -W0
Substitute the name of certificate
pem
file you are encoding for<certificate>
. -
Specify the base64-encoded certicates in the Okera configuration file using the following configuration parameters:
Parameter TLS or SSL Description CATALOG_DB_SSL
both Set this parameter to "true"
to enable configurable SSL or TLS support for the Okera metadata storage. The default value is"false"
.CATALOG_DB_SERVER_CERT
both Specify the SSL/TLS certificate for the MySQL or Postgres database server. CATALOG_DB_CLIENT_CERT
TLS If you are using mutual, or two-way authentication, specify the TLS certificate for the MySQL database client. This parameter is only needed for TLS support. CATALOG_DB_CLIENT_CERT_KEY
TLS If you are using mutual, or two-way authentication, specify the private key for the MySQL client TLS certificate. This parameter is only needed for TLS support.
TLS Configuration Example¶
CATALOG_DB_CLIENT_CERT: <copy/pasted base64 value of client-cert.pem>
CATALOG_DB_CLIENT_CERT_KEY: <copy/pasted base64 value of client-cert-key.pem>
CATALOG_DB_SERVER_CERT: <copy/pasted base64 value of server-cert.pem>
CATALOG_DB_SSL: "true"
SSL Configuration Example¶
CATALOG_DB_SERVER_CERT: <copy/pasted base64 value of server-cert.pem>
CATALOG_DB_SSL: "true"
Troubleshooting¶
If problems arise, verify whether CUSTOM_CERT_0
is pointing to an incorrect value in the active configmap kubectl edit cm
. If it is, change it to point to /etc/secrets/CATALOG_DB_SERVER_CA
.