Charmed MySQL K8s

Channel Revision Published Runs on
8.0/stable 180 02 Sep 2024
Ubuntu 22.04
8.0/stable 181 02 Sep 2024
Ubuntu 22.04
8.0/candidate 180 26 Aug 2024
Ubuntu 22.04
8.0/candidate 181 26 Aug 2024
Ubuntu 22.04
8.0/beta 207 15 Nov 2024
Ubuntu 22.04
8.0/beta 206 15 Nov 2024
Ubuntu 22.04
8.0/edge 209 18 Nov 2024
Ubuntu 22.04
8.0/edge 208 18 Nov 2024
Ubuntu 22.04
juju deploy mysql-k8s --channel 8.0/candidate
Show information

Platform:

Charmed MySQL K8s Tutorial > 6. Enable TLS encryption

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MySQL so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed MySQL with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your MySQL deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.

Summary


Enable TLS

To enable TLS on Charmed MySQL K8s, we must deploy the self-signed-certificates charm and integrate it with MySQL.

Deploy TLS charm

Deploy the self-signed-certificates TLS charm with the following command:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until self-signed-certificates is up and active, using juju status --watch 1s to monitor its progress:

Model     Controller  Cloud/Region        Version  SLA          Timestamp
tutorial  overlord    microk8s/localhost  3.5.2  unsupported  23:04:02+01:00

App                        Version   Status  Scale  Charm                      Channel      Rev  Address         Exposed  Message
mysql-k8s                  8.0.31    active      2  mysql-k8s                  8.0/stable   36   10.152.183.234  no       
self-signed-certificates             active      1  self-signed-certificates   stable   72   10.152.183.76   no       

Unit                          Workload  Agent  Address      Ports  Message
mysql-k8s/0*                  active    idle   10.1.84.74          Unit is ready: Mode: RW
mysql-k8s/1                   active    idle   10.1.84.127         Unit is ready: Mode: RO
self-signed-certificates/0*   active    idle   10.1.84.71 

Integrate with MySQL

To enable TLS on Charmed MySQL, integrate the two applications:

juju integrate mysql-k8s self-signed-certificates

MySQL K8s is now using TLS certificate generated by the self-signed-certificates charm.

Check the TLS certificate in use

Use openssl to connect to MySQL and check the TLS certificate in use:

> openssl s_client -starttls mysql -connect 10.1.84.74:3306 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
...

Disable TLS

To remove the external TLS and return to the locally generate one, remove the integration from the applications:

juju remove-relation mysql-k8s self-signed-certificates

If you once again check the TLS certificates in use via the OpenSSL client, you will see something similar to the output below:

> openssl s_client -starttls mysql -connect 10.1.84.74:3306 | grep Issuer
...
Issuer: CN = MySQL_Server_8.0.31_Auto_Generated_CA_Certificate
...

The Charmed MySQL K8s application reverted to the certificate that was created locally during the MySQL server installation.

Next step: 7. Clean up your environment