Skip to content

Configure SSL/TLS for the Okera Catalog

Okera provides configurable SSL and TLS support for your Okera catalog. Specifically, it provides configurable:

  • SSL and TLS support for MySQL catalog databases
  • SSL support for Postgres catalog databases.

Okera can determine which protocol (SSL or TLS) to use based on the certificates provided.

Notes: This only impacts Okera MySQL and Postgres catalogs and does not establish SSL/TLS configurable support throughout the Okera cluster. For information on cluster SSL support, see Configure SSL for the Cluster.

Okera only supports TLS for MySQL catalogs at this time. It does not support Cloud SQL Auth proxy functionality.

Configuration Steps

To configure SSL/TLS support for the catalog:

  1. Create or gather the required certificates for your MySQL or Postgres database. If you have them, use the same certificates you configured for the MySQL and Postgres databases.

    For SSL support, you will need the certificate for the MySQL or Postgres database server.

    For TLS support, you will need the following certificates for the MySQL database:

    • Server
    • Client
    • Private key for the client certificate
  2. Encode the certificates in base64. You can do this using the following bash command:

    cat /path/to/<certificate>.pem | base64 -W0
    

    Substitute the name of certificate pem file you are encoding for <certificate>.

  3. Specify the base64 encoded certicates in the Okera configuration file using the following configuration parameters:

    Parameter TLS or SSL Description
    CATALOG_DB_SSL both Set this parameter to "true" to enable configurable SSL or TLS support for the Okera catalog. The default value is "false".
    CATALOG_DB_SERVER_CERT both Specify the SSL/TLS certificate for the MySQL or Postgres catalog database server.
    CATALOG_DB_CLIENT_CERT TLS Specify the TLS certificate for the MySQL catalog database client. This parameter is only needed for TLS support.
    CATALOG_DB_CLIENT_CERT_KEY TLS Specify the private key for the MySQL catalog client TLS certificate. This parameter is only needed for TLS support.

TLS Configuration Example

CATALOG_DB_CLIENT_CERT: <copy/pasted base64 value of client-cert.pem>
CATALOG_DB_CLIENT_CERT_KEY: <copy/pasted base64 value of client-cert-key.pem>
CATALOG_DB_SERVER_CERT: <copy/pasted base64 value of server-cert.pem>
CATALOG_DB_SSL: "true"

SSL Configuration Example

CATALOG_DB_SERVER_CERT: <copy/pasted base64 value of server-cert.pem>
CATALOG_DB_SSL: "true"

Troubleshooting

If problems arise, verify whether CUSTOM_CERT_0 is pointing to an incorrect value in the active configmap kubectl edit cm. If it is, change it to point to /etc/secrets/CATALOG_DB_SERVER_CA.