Charmed MySQL K8s
- By Canonical Data Platform
|8.0/stable||75||20 Apr 2023|
|8.0/candidate||75||20 Apr 2023|
|8.0/beta||75||20 Apr 2023|
|8.0/edge||83||26 May 2023|
juju deploy mysql-k8s --channel 8.0/stable
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Enable Security in your MySQL deployment
This is part of the Charmed MySQL Tutorial. Please refer to this page for more information and the overview of the content.
Transport Layer Security (TLS)
TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MySQL K8s. This means (re-)configuring TLS on Charmed MySQL K8s is readily available and requires minimal effort on your end.
Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MySQL K8s to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.
Before enabling TLS on Charmed MySQL K8s we must first deploy the
juju deploy tls-certificates-operator --config generate-self-signed-certificates="true" --config ca-common-name="Tutorial CA"
Wait until the
tls-certificates-operator is up and active, use
juju status --watch 1s to monitor the progress:
Model Controller Cloud/Region Version SLA Timestamp tutorial overlord microk8s/localhost 2.9.38 unsupported 23:04:02+01:00 App Version Status Scale Charm Channel Rev Address Exposed Message mysql-k8s 8.0.31 active 2 mysql-k8s 8.0/stable 36 10.152.183.234 no tls-certificates-operator active 1 tls-certificates-operator stable 22 10.152.183.76 no Unit Workload Agent Address Ports Message mysql-k8s/0* active idle 10.1.84.74 Unit is ready: Mode: RW mysql-k8s/1 active idle 10.1.84.127 Unit is ready: Mode: RO tls-certificates-operator/0* active idle 10.1.84.71
Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.
To enable TLS on Charmed MySQL, relate the two applications:
juju relate mysql-k8s tls-certificates-operator
Add external TLS certificate
openssl to connect to the MySQL and check the TLS certificate in use:
> openssl s_client -starttls mysql -connect 10.1.84.74:3306 | grep Issuer ... depth=1 C = US, CN = Tutorial CA ...
Congratulations! MySQL is now using TLS certificate generated by the external application
Remove external TLS certificate
To remove the external TLS and return to the locally generate one, unrelate applications:
juju remove-relation mysql-k8s tls-certificates-operator
Check the TLS certificate in use:
> openssl s_client -starttls mysql -connect 10.1.84.74:3306 | grep Issuer
The output should be similar to:
... Issuer: CN = MySQL_Server_8.0.31_Auto_Generated_CA_Certificate ...
The Charmed MySQL K8s application reverted to the certificate that was created locally during the MySQL server installation.
Help us improve this documentation
Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.