Charmed MySQL K8s

  • By Canonical Data Platform
Channel Revision Published Runs on
8.0/stable 75 20 Apr 2023
Ubuntu 22.04
8.0/candidate 75 20 Apr 2023
Ubuntu 22.04
8.0/beta 75 20 Apr 2023
Ubuntu 22.04
8.0/edge 83 26 May 2023
Ubuntu 22.04
juju deploy mysql-k8s --channel 8.0/stable
Show information


Enable Security in your MySQL deployment

This is part of the Charmed MySQL Tutorial. Please refer to this page for more information and the overview of the content.

Transport Layer Security (TLS)

TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MySQL K8s. This means (re-)configuring TLS on Charmed MySQL K8s is readily available and requires minimal effort on your end.

Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MySQL K8s to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.

Configure TLS

Before enabling TLS on Charmed MySQL K8s we must first deploy the tls-certificates-operator charm:

juju deploy tls-certificates-operator --config generate-self-signed-certificates="true" --config ca-common-name="Tutorial CA"

Wait until the tls-certificates-operator is up and active, use juju status --watch 1s to monitor the progress:

Model     Controller  Cloud/Region        Version  SLA          Timestamp
tutorial  overlord    microk8s/localhost  2.9.38   unsupported  23:04:02+01:00

App                        Version   Status  Scale  Charm                      Channel      Rev  Address         Exposed  Message
mysql-k8s                  8.0.31    active      2  mysql-k8s                  8.0/stable   36  no       
tls-certificates-operator            active      1  tls-certificates-operator  stable       22   no       

Unit                          Workload  Agent  Address      Ports  Message
mysql-k8s/0*                  active    idle          Unit is ready: Mode: RW
mysql-k8s/1                   active    idle         Unit is ready: Mode: RO
tls-certificates-operator/0*  active    idle 

Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.

To enable TLS on Charmed MySQL, relate the two applications:

juju relate mysql-k8s tls-certificates-operator

Add external TLS certificate

Use openssl to connect to the MySQL and check the TLS certificate in use:

> openssl s_client -starttls mysql -connect | grep Issuer
depth=1 C = US, CN = Tutorial CA

Congratulations! MySQL is now using TLS certificate generated by the external application tls-certificates-operator.

Remove external TLS certificate

To remove the external TLS and return to the locally generate one, unrelate applications:

juju remove-relation mysql-k8s tls-certificates-operator

Check the TLS certificate in use:

> openssl s_client -starttls mysql -connect | grep Issuer

The output should be similar to:

Issuer: CN = MySQL_Server_8.0.31_Auto_Generated_CA_Certificate

The Charmed MySQL K8s application reverted to the certificate that was created locally during the MySQL server installation.

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated a month ago. Help improve this document in the forum.