redis · andy-stark-redis · Mar 21, 2025 · Mar 20, 2025 · Mar 21, 2025 · Mar 21, 2025
diff --git a/content/integrate/redis-data-integration/data-pipelines/deploy.md b/content/integrate/redis-data-integration/data-pipelines/deploy.md
@@ -65,7 +65,7 @@ redis-di set-secret SOURCE_DB_USERNAME myUserName
 
 Use
 [`kubectl create secret generic`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_generic/)
-to set secrets for a K8s/Helm deployment. The general pattern of the commands is
+to set secrets for a K8s/Helm deployment. The general pattern of the commands is:
 
 ```bash
 kubectl create secret generic <DB> \
@@ -74,6 +74,23 @@ kubectl create secret generic <DB> \
 ```
 
 Where `<DB>` is either `source-db` for source secrets or `target-db` for target secrets.
+
+If you use TLS or mTLS for either the source or target databases, you also need to create the `source-db-ssl` and / or `target-db-ssl` K8s secrets that contain the actual certificates used to establish secure connections. The general pattern of the commands is:
+
+```bash
+kubectl create secret generic <DB>-ssl \
+--namespace=rdi \
+--from-file=<FILE-NAME>=<FILE-PATH>
+```
+
+All certificates and keys used when creating the above secrets must be in PEM format, with one exception: for PostgreSQL, the private key in the `source-db-ssl` secret (the `client.key` file) must be in DER format. Only in this case, if you have a key in PEM format, first convert it to DER before creating the `source-db-ssl` secret using the command:
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -outform DER -in /path/to/myclient.key -out /path/to/myclient.pk8 -nocrypt
+```
+
+The above command assumes that the private key is not encrypted. For converting an encrypted private key, refer to the `openssl` documentation.
+
 The specific command lines for source secrets are as follows:
 
 ```bash
@@ -102,7 +119,7 @@ kubectl create secret generic source-db --namespace=rdi \
 --from-literal=SOURCE_DB_USERNAME=yourUsername \
 --from-literal=SOURCE_DB_PASSWORD=yourPassword \
 --from-literal=SOURCE_DB_CACERT=/etc/certificates/source_db/ca.crt \
---from-literal=SOURCE_DB_CERT=/etc/certificates/source_db/client.crt \ 
+--from-literal=SOURCE_DB_CERT=/etc/certificates/source_db/client.crt \
 --from-literal=SOURCE_DB_KEY=/etc/certificates/source_db/client.key \
 --from-literal=SOURCE_DB_KEY_PASSWORD=yourKeyPassword \ # add this only if SOURCE_DB_KEY is password-protected
 --save-config --dry-run=client -o yaml | kubectl apply -f -
@@ -142,7 +159,7 @@ kubectl create secret generic target-db --namespace=rdi \
 --from-literal=TARGET_DB_USERNAME=yourUsername \
 --from-literal=TARGET_DB_PASSWORD=yourPassword \
 --from-literal=TARGET_DB_CACERT=/etc/certificates/target_db/ca.crt \
---from-literal=TARGET_DB_CERT=/etc/certificates/target_db/client.crt \ 
+--from-literal=TARGET_DB_CERT=/etc/certificates/target_db/client.crt \
 --from-literal=TARGET_DB_KEY=/etc/certificates/target_db/client.key \
 --from-literal=TARGET_DB_KEY_PASSWORD=yourKeyPassword \ # add this only if TARGET_DB_KEY is password-protected
 --save-config --dry-run=client -o yaml | kubectl apply -f -
@@ -154,6 +171,8 @@ kubectl create secret generic target-db-ssl --namespace=rdi \
 --save-config --dry-run=client -o yaml | kubectl apply -f -
 ```
 
+Note that the certificate paths contained in the secrets `SOURCE_DB_CACERT`, `SOURCE_DB_CERT`, and `SOURCE_DB_KEY` (for the source database) and `TARGET_DB_CACERT`, `TARGET_DB_CERT`, and `TARGET_DB_KEY` (for the target database) are internal to RDI and therefore their values specified in the above commands **must not be changed**. Only change the certificate paths when creating the `source-db-ssl` and `target-db-ssl` secrets.
+
 ## Deploy a pipeline
 
 When you have created your configuration, including the [jobs]({{< relref "/integrate/redis-data-integration/data-pipelines/data-pipelines#job-files" >}}), they are