How to enable encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Enable TLS

First, deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS on MySQL, integrate the two applications:

juju integrate self-signed-certificates mysql-k8s

Manage keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note that passing keys to external/internal keys should only be done with base64 -w0, not cat.

With three replicas, this schema should be followed:

Generate a shared internal (private) key

openssl genrsa -out internal-key.pem 3072

Apply the newly generated internal key on each juju unit:

juju run-action mysql-k8s/0 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)" --wait
juju run-action mysql-k8s/1 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)" --wait
juju run-action mysql-k8s/2 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)" --wait

Updates can also be done with auto-generated keys:

juju run-action mysql-k8s/0 set-tls-private-key --wait
juju run-action mysql-k8s/1 set-tls-private-key --wait
juju run-action mysql-k8s/2 set-tls-private-key --wait

Disable TLS

Disable TLS by removing the integration:

juju remove-relation tls-certificates-operator mysql-k8s