Installing TLS Certificates in SQL Server
TLS certificates can be installed into SQL Server containers using volume mounts.
Information
Installing TLS certificates into the containers involves modifying the custom resource with a volume that references a ConfigMap that contains the certificate and private key files.
To add TLS certs, do the following:
-
Create a ConfigMap for the
mssql.conf
that enables TLS and uses the following directories for the keys:mssqlconf.yamlapiVersion: v1
kind: ConfigMap
metadata:
name: mssqlconf
data:
mssql.conf: |
[network]
tlscert = /etc/ssl/certs/mssql.pem
tlskey = /etc/ssl/private/mssql.key
tlsprotocols = 1.2
forceencryption = 1 -
Create another ConfigMap that contains your keys.
cautionThe keys below are given as an example only. Do not use them in production environments.
mssqlkeys.yamlapiVersion: v1
kind: ConfigMap
metadata:
name: mssqlkeys
data:
mssql.pem: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAK+DAfXwI/HPMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMjQwMjIwMjIwMjMwWhcNMjQwMzIxMjIwMjMwWjBF
MQswCQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA+2VKL8eJWHqx64VD8iwRfzAjW/TV7a9ysbkaaI42pnrkf7DEgSiJOXXa
XtfT78CMul0s2pPXzvGKH9TPXAypHQj1jCCIwyqwx1dtvXPF+Rh+lOrQvqTiE+Yt
BgCOY39OmGXXXs9ftHE86ImzrauduVU/UOI0iKk1JT4UY3DjAtYJZYFiYgfLjMLo
T/egtW3VlvMAns+D5A3sNnpDgKkxiXiX7LyiZNaECcgfk5DRn2YlZmB8AjPPiRVI
qcil+1ZQryP9Nr6NsBmmebq8u6I1r5/0VFlqeV7R4aPabksfaFiw5zM4p8eJ8SAC
9yxuES3FV6OffoKqCgVMSk3oMl3bIQIDAQABo1AwTjAdBgNVHQ4EFgQU/4uisV2y
5G4oScHStW3UfSL4i8EwHwYDVR0jBBgwFoAU/4uisV2y5G4oScHStW3UfSL4i8Ew
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGd1FafRW5iipq7ozUuNT
fsofQAY/C8mzNZSJ36aPx+jh8zEQOIv61YXLrWjVHtex2VRTY+SPmgLqp+95J9Uk
/OpMwF/et5280nJOgyK1KRf2WvFQ40FRQWgW69Ks9vhX+pFGLaef7QW2XnTEm19f
Hn7nFgOMy1VIM3xkexq0o+wloki1ypSeIbR6YN3dmp9g3RkWm+h4Z4IxXlDYD3EU
sQ3apKqp9xGSJpm7uxRpFUHMeXz7jzQcM7XwkKZZtaUbyJ/vmZ7NYXhcQze+wb1H
HqmsmZx77a3OZqCZ6X8oCvon5PPotwhXJf+s4/s848KUh9pIJf+TPf8jL+mxmS7o
TA==
-----END CERTIFICATE-----
mssql.key: |-
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7ZUovx4lYerHr
hUPyLBF/MCNb9NXtr3KxuRpojjameuR/sMSBKIk5ddpe19PvwIy6XSzak9fO8Yof
1M9cDKkdCPWMIIjDKrDHV229c8X5GH6U6tC+pOIT5i0GAI5jf06YZddez1+0cTzo
ibOtq525VT9Q4jSIqTUlPhRjcOMC1gllgWJiB8uMwuhP96C1bdWW8wCez4PkDew2
ekOAqTGJeJfsvKJk1oQJyB+TkNGfZiVmYHwCM8+JFUipyKX7VlCvI/02vo2wGaZ5
ury7ojWvn/RUWWp5XtHho9puSx9oWLDnMzinx4nxIAL3LG4RLcVXo59+gqoKBUxK
TegyXdshAgMBAAECggEBAJNyFw7q8y1H2S6P3QgevKxiaXq3oPllG9oM/OYx8u+1
yGr0HGy8f6+J5egWoiFOR7vOhk40xDCGDkMZJ/2PF2kGJi5nro75bPGd36lsS8ML
kMJ67q/COS7+o42PqfPFaS2NHcJn0nQcrmKc0RudOkbHLvmbksBMrfUH8iFYxmyU
Pxpbdv4TH5Yt5L1kraIn44KwfmGdxxRDZq1gV9KbmX+387lDmwK7J2QZTe7M4zWP
hy3arbOS2salb+XAXn7oAuVuRuOJ0ZShFnFiNHCsS0n9cicaPLg17vm7yV6Zz5Qj
JxnGIlc8yuOp41tzvm1ML4sUTQvHLRoOe6BjOVFtuIECgYEA/9jh4FOZ0Fpsq48s
9SVgoxj1mHhY8NKxAZU2UMyqMQ79Za055ntPiyrS4SXXe/kR5Gs8g0xwC5Sj3KE4
hMR08W0KzPrNVDcEq0GwPILlZXmV/pZofmrrZf9ZX5e3gN2qr1L3X7nKXtzA6y9W
GecL8gfdWzXPHnQNdZ2wIP4uJYkCgYEA+4u6Ep9/pWEpIRC0AXjdRgdp8hRmZjEk
QniebIJy8JQnH4na27tYXTdz0zbJQ/G6xixfbB0399cVgmPbiJH8oF7tv9A0RUxc
nCZcYYobABhbUYcIaB4LXqwt7Wph663XDPYrK3cqZxV1Yk+un0iGTpubbaR9MXQV
nHkFjrIHOtkCgYAYZiyUYiSnFBiM++iDsH7YzwaM9d01ikJLLlmxtvL8HrvXuH9v
FY9ubDUUN7GnJwenyvpIYz/EOvatkcp8DuhAJfADwF9Yiq6tTmRqQOlzlfbSArIQ
bE3qukFhtmxPo9QlSDpDLMq55T+Yrjj922TuPgXELwuDkfm+n70uSE9KUQKBgQDQ
N1DGqZAXbN2GqTTXIxzGIsznvUslu/evrfg1CaXqzje0O4AV8nWqc4REiU0AGM/p
ykESVP1HAZqkW9QUsALVHL7fz4/07Mib2IUPmCnRYlf0nDmxNW1j6FH7+9siIrun
1vzU9cb7nR+VSS/aWUYTO2rkzwtyLAzXgLXA8ExbwQKBgDFyix4mRCaMIrfGVM+J
YCQxPn6RxSZdQx+/qphRNNv/X8HAcczGDgZmxWlqFX49XqWFgytUW7yUlOEAEIU/
DMm/+dSQb1wfzcQ0Ngv41z1qitsJ5ZVksV75sGL8Te5LAgwczU11QOH79zQGQfT2
9j6r4WR3RYgFIB/FNNom1sZL
-----END PRIVATE KEY----- -
In the DxEnterpriseSqlAg YAML, add the
volume
to the pod andvolumeMount
to themssql
container.infoThe example YAML below has the following modifications:
-
It references the
mssqlconf
ConfigMap inmssqlServerContainer
. -
It creates a volume for the pod that references the
mssqlkeys
ConfigMap, and places the files in their appropriate subdirectories. -
It mounts the volume to the
/etc/certs
directory in themssql
container.
You will need to provide your own
dxe
andmssql
secrets for the pods to start up. See the Installing DxOperator section of the DxOperator quick start guide for more information on how to create these secrets.apiVersion: dh2i.com/v1
kind: DxEnterpriseSqlAg
metadata:
name: dxesqlag
spec:
synchronousReplicas: 3
asynchronousReplicas: 0
configurationOnlyReplicas: 0
availabilityGroupClusterType: "EXTERNAL"
template:
spec:
dxEnterpriseContainer:
image: "docker.io/dh2i/dxe:latest"
acceptEula: true
clusterSecret: dxe
joinExistingCluster: false
mssqlServerContainer:
image: "mcr.microsoft.com/mssql/server:latest"
mssqlSecret: mssql
acceptEula: true
mssqlPID: Developer
mssqlConfigMap: mssqlconf
volumeMounts:
- name: cfgtest
mountPath: "/etc/ssl"
volumes:
- name: cfgtest
configMap:
name: mssqlkeys
items:
- key: "mssql.pem"
path: "certs/mssql.pem"
- key: "mssql.key"
path: "private/mssql.key" -