Charmed MySQL K8s
- Canonical
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
8.0/stable | 180 | 02 Sep 2024 | |
8.0/stable | 181 | 02 Sep 2024 | |
8.0/candidate | 180 | 26 Aug 2024 | |
8.0/candidate | 181 | 26 Aug 2024 | |
8.0/beta | 207 | 15 Nov 2024 | |
8.0/beta | 206 | 15 Nov 2024 | |
8.0/edge | 209 | 18 Nov 2024 | |
8.0/edge | 208 | 18 Nov 2024 |
juju deploy mysql-k8s --channel 8.0/beta
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
Charmed MySQL K8s Tutorial > 6. Enable TLS encryption
Enable encryption with TLS
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MySQL so that configuring TLS requires minimal effort on your end.
TLS is enabled by integrating Charmed MySQL with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this section, you will learn how to enable security in your MySQL deployment using TLS encryption.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Summary
Enable TLS
To enable TLS on Charmed MySQL K8s, we must deploy the self-signed-certificates
charm and integrate it with MySQL.
Deploy TLS charm
Deploy the self-signed-certificates
TLS charm with the following command:
juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until self-signed-certificates
is up and active, using juju status --watch 1s
to monitor its progress:
Model Controller Cloud/Region Version SLA Timestamp
tutorial overlord microk8s/localhost 3.5.2 unsupported 23:04:02+01:00
App Version Status Scale Charm Channel Rev Address Exposed Message
mysql-k8s 8.0.31 active 2 mysql-k8s 8.0/stable 36 10.152.183.234 no
self-signed-certificates active 1 self-signed-certificates stable 72 10.152.183.76 no
Unit Workload Agent Address Ports Message
mysql-k8s/0* active idle 10.1.84.74 Unit is ready: Mode: RW
mysql-k8s/1 active idle 10.1.84.127 Unit is ready: Mode: RO
self-signed-certificates/0* active idle 10.1.84.71
Integrate with MySQL
To enable TLS on Charmed MySQL, integrate the two applications:
juju integrate mysql-k8s self-signed-certificates
MySQL K8s is now using TLS certificate generated by the self-signed-certificates
charm.
Check the TLS certificate in use
Use openssl
to connect to MySQL and check the TLS certificate in use:
> openssl s_client -starttls mysql -connect 10.1.84.74:3306 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
...
Disable TLS
To remove the external TLS and return to the locally generate one, remove the integration from the applications:
juju remove-relation mysql-k8s self-signed-certificates
If you once again check the TLS certificates in use via the OpenSSL client, you will see something similar to the output below:
> openssl s_client -starttls mysql -connect 10.1.84.74:3306 | grep Issuer
...
Issuer: CN = MySQL_Server_8.0.31_Auto_Generated_CA_Certificate
...
The Charmed MySQL K8s application reverted to the certificate that was created locally during the MySQL server installation.
Next step: 7. Clean up your environment