Skip to main content
Tungsten Clustering

Deploy and Configure Security

By default, the manifests shipped with the packages have security disabled, therefore adjust accordingly based on your options below

Option A: Deploy WITHOUT security (No SSL/TLS) - Default

The manifests are pre-configured with security disabled. This is the quickest way to get started.

The security settings that are configured by default, are within the configmap-tungsten.yaml, an example is shown below:

disable-security-controls=true
connector-ssl-capable=false
connector-driver-options=?useSSL=false

In the deployment.yaml file, the security volume mounts are commented out.

Initiate deployment without security

Apply all manifests (secret-security.yaml is optional without security) using the kubectl command.

shell> kubectl apply -f namespace.yaml
shell> kubectl apply -f configmap-tungsten.yaml
shell> kubectl apply -f configmap-listeners.yaml
shell> kubectl apply -f secret-credentials.yaml
shell> kubectl apply -f deployment.yaml
shell> kubectl apply -f service.yaml

Or, apply them all at once:

shell> kubectl apply -f .

To test without SSL, get the LoadBalancer external IP:

shell> kubectl -n tungsten-connector get service tungsten-connector

Wait for the EXTERNAL-IP to be assigned, then connect, replacing [EXTERNAL-IP] with the actual IP from the command above:

shell> mysql -h [EXTERNAL-IP] -u app_user -psecret -P 3306

Option B: Deploy WITH Security (SSL/TLS)

If you want to enable SSL/TLS security, follow these steps:

  1. Enable Security in Configuration

    Edit configmap-tungsten.yaml and change these three settings

    • Change from true to false:

      disable-security-controls=false

    • Change from false to true:

      connector-ssl-capable=true

    • Change from '?useSSL=false' to '?useSSL=true'

      [object Object]

  2. Required SSL Certificate Files

    You must obtain these files from an existing Tungsten Cluster node (typically from /opt/continuent/share) where security is enabled:

    passwords.store
    tungsten_keystore.jks
    tungsten_truststore.ts
    tungsten_connector_keystore.jks
    tungsten_connector_truststore.ts
    tungsten_tls_keystore.jks

  3. Add SSL Certificates to Secret

    Base64-encode each file:

    shell> cat passwords.store | base64
    shell> cat tungsten_keystore.jks | base64
    shell> cat tungsten_truststore.ts | base64
    shell> cat tungsten_connector_keystore.jks | base64
    shell> cat tungsten_connector_truststore.ts | base64
    shell> cat tungsten_tls_keystore.jks | base64

    Edit secret-security.yaml and uncomment the data: section (around line 67), then add the base64-encoded content:

    data:
    passwords.store: >BASE64_ENCODED_CONTENT<
    tungsten_keystore.jks: >BASE64_ENCODED_CONTENT<
    tungsten_truststore.ts: >BASE64_ENCODED_CONTENT<
    tungsten_connector_keystore.jks: >BASE64_ENCODED_CONTENT<
    tungsten_connector_truststore.ts: >BASE64_ENCODED_CONTENT<
    tungsten_tls_keystore.jks: >BASE64_ENCODED_CONTENT<

  4. Uncomment Security Volume Mounts

    Edit deployment.yaml and uncomment the security sections:

    Uncomment the lines for the Volume Mounts (around lines 111-120):

    - name: tungsten-security
    mountPath: /opt/continuent/tungsten/cluster-home/conf/security.properties
    subPath: security.properties
    readOnly: true

    - name: ssl-certs
    mountPath: /opt/continuent/share
    readOnly: true

    Uncomment the lines for the Volumes (around lines 138-163):

    - name: tungsten-security
    secret:
      secretName: tungsten-security
      items:
      - key: security.properties
        path: security.properties

    - name: ssl-certs
    secret:
      secretName: tungsten-security
      optional: true
      items:
      - key: passwords.store
        path: passwords.store
      - key: tungsten_keystore.jks
        path: tungsten_keystore.jks
      - key: tungsten_truststore.ts
        path: tungsten_truststore.ts
      - key: tungsten_connector_keystore.jks
        path: tungsten_connector_keystore.jks
      - key: tungsten_connector_truststore.ts
        path: tungsten_connector_truststore.ts
      - key: tungsten_tls_keystore.jks
        path: tungsten_tls_keystore.jks

  5. Deploy with Security

    Apply all manifests using the kubectl command:

    shell> kubectl apply -f namespace.yaml
    shell> kubectl apply -f configmap-tungsten.yaml
    shell> kubectl apply -f configmap-listeners.yaml
    shell> kubectl apply -f secret-credentials.yaml
    shell> kubectl apply -f secret-security.yaml
    shell> kubectl apply -f deployment.yaml
    shell> kubectl apply -f service.yaml

    Or apply all at once:

    shell> kubectl apply -f .

To test with SSL:

Get the LoadBalancer external IP:

shell> kubectl -n tungsten-connector get service tungsten-connector

Wait for EXTERNAL-IP to be assigned, then connect with SSL replacing [EXTERNAL-IP] with the actual IP from the command above

shell> mysql -h [EXTERNAL-IP] -u app_user -psecret -P 3306 --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-verify-server-cert=false