Skip to main content
Version: v1.0.67.0

Installing TLS Certificates in SQL Server

TLS certificates can be installed into SQL Server containers using volume mounts.

Information

Installing TLS certificates into the containers involves modifying the custom resource with a volume that references a ConfigMap that contains the certificate and private key files.

To add TLS certs, do the following:

  1. Create a ConfigMap for the mssql.conf that enables TLS and uses the following directories for the keys:

    mssqlconf.yaml
    apiVersion: v1
    kind: ConfigMap
    metadata:
    name: mssqlconf
    data:
    mssql.conf: |
    [network]
    tlscert = /etc/ssl/certs/mssql.pem
    tlskey = /etc/ssl/private/mssql.key
    tlsprotocols = 1.2
    forceencryption = 1
  2. Create another ConfigMap that contains your keys.

    caution

    The keys below are given as an example only. Do not use them in production environments.

    mssqlkeys.yaml
    apiVersion: v1
    kind: ConfigMap
    metadata:
    name: mssqlkeys
    data:
    mssql.pem: |-
    -----BEGIN CERTIFICATE-----
    MIIDXTCCAkWgAwIBAgIJAK+DAfXwI/HPMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
    BAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
    aWRnaXRzIFB0eSBMdGQwHhcNMjQwMjIwMjIwMjMwWhcNMjQwMzIxMjIwMjMwWjBF
    MQswCQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
    ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA+2VKL8eJWHqx64VD8iwRfzAjW/TV7a9ysbkaaI42pnrkf7DEgSiJOXXa
    XtfT78CMul0s2pPXzvGKH9TPXAypHQj1jCCIwyqwx1dtvXPF+Rh+lOrQvqTiE+Yt
    BgCOY39OmGXXXs9ftHE86ImzrauduVU/UOI0iKk1JT4UY3DjAtYJZYFiYgfLjMLo
    T/egtW3VlvMAns+D5A3sNnpDgKkxiXiX7LyiZNaECcgfk5DRn2YlZmB8AjPPiRVI
    qcil+1ZQryP9Nr6NsBmmebq8u6I1r5/0VFlqeV7R4aPabksfaFiw5zM4p8eJ8SAC
    9yxuES3FV6OffoKqCgVMSk3oMl3bIQIDAQABo1AwTjAdBgNVHQ4EFgQU/4uisV2y
    5G4oScHStW3UfSL4i8EwHwYDVR0jBBgwFoAU/4uisV2y5G4oScHStW3UfSL4i8Ew
    DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAGd1FafRW5iipq7ozUuNT
    fsofQAY/C8mzNZSJ36aPx+jh8zEQOIv61YXLrWjVHtex2VRTY+SPmgLqp+95J9Uk
    /OpMwF/et5280nJOgyK1KRf2WvFQ40FRQWgW69Ks9vhX+pFGLaef7QW2XnTEm19f
    Hn7nFgOMy1VIM3xkexq0o+wloki1ypSeIbR6YN3dmp9g3RkWm+h4Z4IxXlDYD3EU
    sQ3apKqp9xGSJpm7uxRpFUHMeXz7jzQcM7XwkKZZtaUbyJ/vmZ7NYXhcQze+wb1H
    HqmsmZx77a3OZqCZ6X8oCvon5PPotwhXJf+s4/s848KUh9pIJf+TPf8jL+mxmS7o
    TA==
    -----END CERTIFICATE-----
    mssql.key: |-
    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7ZUovx4lYerHr
    hUPyLBF/MCNb9NXtr3KxuRpojjameuR/sMSBKIk5ddpe19PvwIy6XSzak9fO8Yof
    1M9cDKkdCPWMIIjDKrDHV229c8X5GH6U6tC+pOIT5i0GAI5jf06YZddez1+0cTzo
    ibOtq525VT9Q4jSIqTUlPhRjcOMC1gllgWJiB8uMwuhP96C1bdWW8wCez4PkDew2
    ekOAqTGJeJfsvKJk1oQJyB+TkNGfZiVmYHwCM8+JFUipyKX7VlCvI/02vo2wGaZ5
    ury7ojWvn/RUWWp5XtHho9puSx9oWLDnMzinx4nxIAL3LG4RLcVXo59+gqoKBUxK
    TegyXdshAgMBAAECggEBAJNyFw7q8y1H2S6P3QgevKxiaXq3oPllG9oM/OYx8u+1
    yGr0HGy8f6+J5egWoiFOR7vOhk40xDCGDkMZJ/2PF2kGJi5nro75bPGd36lsS8ML
    kMJ67q/COS7+o42PqfPFaS2NHcJn0nQcrmKc0RudOkbHLvmbksBMrfUH8iFYxmyU
    Pxpbdv4TH5Yt5L1kraIn44KwfmGdxxRDZq1gV9KbmX+387lDmwK7J2QZTe7M4zWP
    hy3arbOS2salb+XAXn7oAuVuRuOJ0ZShFnFiNHCsS0n9cicaPLg17vm7yV6Zz5Qj
    JxnGIlc8yuOp41tzvm1ML4sUTQvHLRoOe6BjOVFtuIECgYEA/9jh4FOZ0Fpsq48s
    9SVgoxj1mHhY8NKxAZU2UMyqMQ79Za055ntPiyrS4SXXe/kR5Gs8g0xwC5Sj3KE4
    hMR08W0KzPrNVDcEq0GwPILlZXmV/pZofmrrZf9ZX5e3gN2qr1L3X7nKXtzA6y9W
    GecL8gfdWzXPHnQNdZ2wIP4uJYkCgYEA+4u6Ep9/pWEpIRC0AXjdRgdp8hRmZjEk
    QniebIJy8JQnH4na27tYXTdz0zbJQ/G6xixfbB0399cVgmPbiJH8oF7tv9A0RUxc
    nCZcYYobABhbUYcIaB4LXqwt7Wph663XDPYrK3cqZxV1Yk+un0iGTpubbaR9MXQV
    nHkFjrIHOtkCgYAYZiyUYiSnFBiM++iDsH7YzwaM9d01ikJLLlmxtvL8HrvXuH9v
    FY9ubDUUN7GnJwenyvpIYz/EOvatkcp8DuhAJfADwF9Yiq6tTmRqQOlzlfbSArIQ
    bE3qukFhtmxPo9QlSDpDLMq55T+Yrjj922TuPgXELwuDkfm+n70uSE9KUQKBgQDQ
    N1DGqZAXbN2GqTTXIxzGIsznvUslu/evrfg1CaXqzje0O4AV8nWqc4REiU0AGM/p
    ykESVP1HAZqkW9QUsALVHL7fz4/07Mib2IUPmCnRYlf0nDmxNW1j6FH7+9siIrun
    1vzU9cb7nR+VSS/aWUYTO2rkzwtyLAzXgLXA8ExbwQKBgDFyix4mRCaMIrfGVM+J
    YCQxPn6RxSZdQx+/qphRNNv/X8HAcczGDgZmxWlqFX49XqWFgytUW7yUlOEAEIU/
    DMm/+dSQb1wfzcQ0Ngv41z1qitsJ5ZVksV75sGL8Te5LAgwczU11QOH79zQGQfT2
    9j6r4WR3RYgFIB/FNNom1sZL
    -----END PRIVATE KEY-----
  3. In the DxEnterpriseSqlAg YAML, add the volume to the pod and volumeMount to the mssql container.

    info

    The example YAML below has the following modifications:

    • It references the mssqlconf ConfigMap in mssqlServerContainer.

    • It creates a volume for the pod that references the mssqlkeys ConfigMap, and places the files in their appropriate subdirectories.

    • It mounts the volume to the /etc/certs directory in the mssql container.

    You will need to provide your own dxe and mssql secrets for the pods to start up. See the Installing DxOperator section of the DxOperator quick start guide for more information on how to create these secrets.

    apiVersion: dh2i.com/v1
    kind: DxEnterpriseSqlAg
    metadata:
    name: dxesqlag
    spec:
    synchronousReplicas: 3
    asynchronousReplicas: 0
    configurationOnlyReplicas: 0
    availabilityGroupClusterType: "EXTERNAL"
    template:
    spec:
    dxEnterpriseContainer:
    image: "docker.io/dh2i/dxe:latest"
    acceptEula: true
    clusterSecret: dxe
    joinExistingCluster: false
    mssqlServerContainer:
    image: "mcr.microsoft.com/mssql/server:latest"
    mssqlSecret: mssql
    acceptEula: true
    mssqlPID: Developer
    mssqlConfigMap: mssqlconf
    volumeMounts:
    - name: cfgtest
    mountPath: "/etc/ssl"
    volumes:
    - name: cfgtest
    configMap:
    name: mssqlkeys
    items:
    - key: "mssql.pem"
    path: "certs/mssql.pem"
    - key: "mssql.key"
    path: "private/mssql.key"