Object storage with SSL/TLS enabled¶
You only need to import the Object Storage certificate into the Embedded MPP’s truststore if the certificate is self-signed or it is signed by a private authority that does not exist within the Embedded MPP’s truststore.
To import the certificate is necessary to add the certificate in prestocluster\presto\secrets\certs
and prestocluster\hive-metastore\secrets\certs
directories.
This way the certificate will be automatically imported into the Embedded MPP’s truststores (Presto and Hive Metastore).
To check that the certificate has been imported correctly, use kubectl logs <presto-coordinator pod> -c init-cacert
and
kubectl logs <hive-metastore pod> -c init-cacert
commands to check the logs.
If successful, the message will be:
Adding /opt/certs/storage.cer to keystore
Certificate was added to keystore
If it fails, the message will display an error, e.g.:
Adding /opt/certs/storage.cer to keystore
keytool error\: java.lang.Exception: Input not an X.509 certificate
If there were errors when importing the certificate and you run kubectl get pods
Embedded MPP pods will display error states like
Init:Error
or Init:CrashLoopBackOff
.
GET PODS
NAME READY STATUS RESTARTS AGE
presto-coordinator-fdbd79df5-p77ll 0/1 Init:Error 1 (2s ago) 3s
presto-worker-76cf6864b5-gshv5 0/1 Init:Error 1 (2s ago) 3s
presto-worker-76cf6864b5-jxrxh 0/1 Init:Error 1 (2s ago) 3s
presto-coordinator-fdbd79df5-p77ll 0/1 Init:CrashLoopBackOff 1 (12s ago) 14s
presto-worker-76cf6864b5-gshv5 0/1 Init:CrashLoopBackOff 1 (12s ago) 14s
presto-worker-76cf6864b5-jxrxh 0/1 Init:CrashLoopBackOff 1 (13s ago) 15s
hive-metastore-f6f588fb-f9qrd 0/1 Init:Error 0 23s
hive-metastore-f6f588fb-f9qrd 0/1 Init:CrashLoopBackOff 1 (32s ago) 2m28s