New to KubeDB? Please start here.

HanaDB TLS/SSL Encryption

KubeDB supports providing TLS/SSL encryption for HanaDB using cert-manager. This guide shows how to deploy a HanaDB with TLS enabled, and how to add, rotate, and remove TLS on a running database with a HanaDBOpsRequest.

Note: The YAML files used in this tutorial are stored in docs/examples/hanadb/tls folder in the GitHub repository kubedb/docs.

Before You Begin

  • Install cert-manager in your cluster (it provisions the certificates).
  • Install the KubeDB Provisioner and Ops-manager operators following the steps here.
  • Create a namespace:
$ kubectl create ns demo
namespace/demo created

How TLS works in HanaDB

When spec.tls is set on a HanaDB, KubeDB asks cert-manager to issue three certificates, identified by their alias:

AliasSecret nameUsed for
server<db>-server-certThe HANA SQL server certificate (mounted into the pod at /etc/hanadb-tls/server).
client<db>-client-certClient authentication used by KubeDB.
metrics-exporter<db>-metrics-exporter-certThe Prometheus exporter’s client connection.

spec.tls.issuerRef is required and must reference a cert-manager Issuer or ClusterIssuer.

Create an Issuer

These guides use a self-signed CA Issuer. First create a CA key pair and a Secret, then an Issuer that signs with it.

# generate a CA
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/CN=ca/O=kubedb"
# store it as a Secret
$ kubectl create secret tls hdb-ca --cert=ca.crt --key=ca.key -n demo
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: hdb-ca-issuer
  namespace: demo
spec:
  ca:
    secretName: hdb-ca
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/hanadb/tls/hdb-ca-issuer.yaml
issuer.cert-manager.io/hdb-ca-issuer created

Option A — Deploy a HanaDB with TLS enabled

Set spec.tls.issuerRef directly on the HanaDB:

apiVersion: kubedb.com/v1alpha2
kind: HanaDB
metadata:
  name: hanadb-cluster
  namespace: demo
spec:
  version: "2.0.82"
  replicas: 2
  storageType: Durable
  topology:
    mode: SystemReplication
    systemReplication:
      replicationMode: fullsync
      operationMode: logreplay_readaccess
  tls:
    issuerRef:
      apiGroup: cert-manager.io
      kind: Issuer
      name: hdb-ca-issuer
  storage:
    accessModes: ["ReadWriteOnce"]
    resources:
      requests:
        storage: 64Gi
    storageClassName: local-path
  deletionPolicy: WipeOut
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/hanadb/tls/system-replication-tls.yaml
hanadb.kubedb.com/hanadb-cluster created

Option B — Add TLS to a running HanaDB (ReconfigureTLS)

If the database already exists without TLS, add TLS with a HanaDBOpsRequest of type ReconfigureTLS:

apiVersion: ops.kubedb.com/v1alpha1
kind: HanaDBOpsRequest
metadata:
  name: hdbops-add-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  databaseRef:
    name: hanadb-cluster
  tls:
    issuerRef:
      apiGroup: cert-manager.io
      kind: Issuer
      name: hdb-ca-issuer
  timeout: 30m
  apply: IfReady
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/hanadb/tls/reconfigure-add-tls.yaml
hanadbopsrequest.ops.kubedb.com/hdbops-add-tls created

ReconfigureTLS performs a rolling restart of the HANA pods to load the new certificates. Request success alone is not enough — verify the database returns to Ready and that TLS connections work.

Wait for the ops request to succeed:

$ kubectl get hdbops -n demo hdbops-add-tls
NAME             TYPE             STATUS       AGE
hdbops-add-tls   ReconfigureTLS   Successful   7m
$ kubectl describe hdbops -n demo hdbops-add-tls
...
Status:
  Conditions:
    Message:  HanaDBOpsRequest has started to reconfigure TLS
    Reason:   ReconfigureTLS
    Type:     ReconfigureTLS
    Message:  Successfully reconciled HanaDB with TLS configuration
    Reason:   UpdatePetSets
    Type:     UpdatePetSets
    Message:  Successfully restarted HanaDB nodes
    Reason:   RestartNodes
    Type:     RestartNodes
    Message:  Successfully resumed database
    Reason:   DatabaseResumeSucceeded
    Type:     DatabaseResumeSucceeded
    Message:  HanaDB is ready after reconfigureTLS
    Reason:   DatabaseReady
    Type:     DatabaseReady
    Message:  Successfully completed reconfigureTLS for HanaDB.
    Reason:   Successful
    Type:     Successful
  Phase:      Successful

Verify TLS

Confirm the certificates and secrets exist, and that the server cert is mounted:

$ kubectl get issuer,certificate -n demo
NAME                                  READY   AGE
issuer.cert-manager.io/hdb-ca-issuer   True    10m

NAME                                                               READY   SECRET                                 AGE
certificate.cert-manager.io/hanadb-cluster-client-cert             True    hanadb-cluster-client-cert             3m
certificate.cert-manager.io/hanadb-cluster-metrics-exporter-cert   True    hanadb-cluster-metrics-exporter-cert   3m
certificate.cert-manager.io/hanadb-cluster-server-cert             True    hanadb-cluster-server-cert             3m

$ kubectl exec -n demo hanadb-cluster-1 -c hanadb -- /bin/sh -lc 'ls -l /etc/hanadb-tls/server'
total 0
lrwxrwxrwx 1 root root ... ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root ... tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root ... tls.key -> ..data/tls.key

Verify the TLS handshake against the SQL port (39017) using openssl s_client:

$ kubectl run hdb-tls-check -n demo --rm -i --restart=Never --image=alpine:3.20 -- \
  sh -lc "apk add --no-cache openssl >/dev/null && echo | openssl s_client -connect hanadb-cluster.demo.svc:39017 -servername hanadb-cluster.demo.svc"
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...

The handshake completes over TLS 1.3, confirming the SQL port now requires TLS. (SAP HANA serves the SQL endpoint from its own internal PKI keystore, so the certificate subject shown by openssl is HANA’s ClientPKI rather than the cert-manager leaf; the cert-manager material is supplied to the pod at /etc/hanadb-tls/server.)

Rotate Certificates

To force cert-manager to re-issue the certificates (for example before expiry), apply a ReconfigureTLS request with tls.rotateCertificates: true:

apiVersion: ops.kubedb.com/v1alpha1
kind: HanaDBOpsRequest
metadata:
  name: hdbops-rotate-tls
  namespace: demo
spec:
  type: ReconfigureTLS
  databaseRef:
    name: hanadb-cluster
  tls:
    rotateCertificates: true
  timeout: 30m
  apply: IfReady
$ kubectl apply -f https://github.com/kubedb/docs/raw/v2026.6.19/docs/examples/hanadb/tls/reconfigure-rotate-tls.yaml
hanadbopsrequest.ops.kubedb.com/hdbops-rotate-tls created

KubeDB re-issues all three certificates from the same issuer and performs a rolling restart so the pods pick up the new material. Track the request and confirm the database returns to Ready:

$ kubectl get hdbops -n demo hdbops-rotate-tls
$ kubectl get hanadb.kubedb.com -n demo hanadb-cluster

After a certificate rotation on a System Replication cluster, verify that a primary role is re-elected (kubectl get pods -n demo -l app.kubernetes.io/instance=hanadb-cluster -L kubedb.com/role) and that the raft coordinator can connect to HANA over the new certificate. If the coordinator logs show x509: certificate signed by unknown authority, the rotated CA is not yet trusted by the sidecar — inspect kubectl logs <pod> -c hanadb-coordinator before retrying.

Remove TLS

To disable TLS, apply a ReconfigureTLS request with tls.remove: true. For a System Replication cluster, KubeDB keeps HANA’s sslclientpki disabled after removal (per SAP guidance); for a standalone database it restores HANA’s built-in ClientPKI. Either way the pods are restarted.

Cleaning Up

$ kubectl delete hdbops -n demo hdbops-add-tls hdbops-rotate-tls
$ kubectl delete hanadb.kubedb.com -n demo hanadb-cluster
$ kubectl delete issuer -n demo hdb-ca-issuer
$ kubectl delete ns demo

Next Steps