MySQL Router K8s
- By Canonical Data Platform
- Databases
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| 8.0/stable | 96 | 22 Mar 2024 | |
| 8.0/candidate | 112 | 02 May 2024 | |
| 8.0/beta | 112 | 02 May 2024 | |
| 8.0/edge | 112 | 02 May 2024 |
juju deploy mysql-router-k8s --channel 8.0/edge
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
This is part of the Charmed MySQLRouter K8s Tutorial. Please refer to this page for more information and the overview of the content.
Enable encryption with TLS
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MySQL Router K8s so that configuring TLS requires minimal effort on your end.
TLS is enabled by integrating Charmed MySQL Router K8s with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this section, you will learn how to enable security in your MySQL Router K8s deployment using TLS encryption.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Enable TLS
Before enabling TLS on Charmed MySQL Router K8s, we must first deploy the self-signed-certificates charm:
juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until self-signed-certificates is up and active with juju status --watch 1s to monitor the progress.
Model Controller Cloud/Region Version SLA Timestamp
database k8s microk8s/localhost 3.1.8 unsupported 12:10:33Z
App Version Status Scale Charm Channel Rev Address Exposed Message
mysql-k8s 8.0.35-0ubuntu0.22.04.1 active 1 mysql-k8s 8.0/stable 127 10.152.183.101 no
mysql-router-k8s 8.0.36-0ubuntu0.22.04.1 active 1 mysql-router-k8s 8.0/edge 102 10.152.183.92 no
mysql-test-app 0.0.2 active 1 mysql-test-app stable 36 10.152.183.224 no
self-signed-certificates active 1 self-signed-certificates stable 72 10.152.183.114 no
Unit Workload Agent Address Ports Message
mysql-k8s/0* active idle 10.1.241.252 Primary
mysql-router-k8s/0* active idle 10.1.241.253
mysql-test-app/0* active idle 10.1.241.254
self-signed-certificates/0* active idle 10.1.241.255
To enable TLS on Charmed MySQLRouter K8s, integrate the two applications:
juju integrate mysql-router self-signed-certificates
Check the TLS certificate in use:
Use openssl to connect to MySQLRouter K8s in the juju machine, and check the TLS certificate in use:
ubuntu@localhost:~$ juju ssh mysql-router-k8s/0 "openssl s_client -showcerts -starttls mysql -connect 127.0.0.1:6446 < /dev/null | openssl x509 -text | grep Issuer"
...
Issuer: C = US, CN = Tutorial CA
...
Congratulations! MySQLRouter K8s is now using a TLS certificate generated by the external application self-signed-certificates.
Disable TLS
To remove the external TLS and return to the locally generated one, unrelate the applications:
juju remove-relation mysql-router self-signed-certificates
Check the TLS certificate in use:
ubuntu@localhost:~$ juju ssh mysql-router-k8s/0 "openssl s_client -showcerts -starttls mysql -connect 127.0.0.1:6446 < /dev/null | openssl x509 -text | grep Issuer"
The output should be similar to:
...
Issuer: CN = MySQL_Router_Auto_Generated_CA_Certificate
...
The Charmed MySQLRouter K8s application reverted to the placeholder certificate that was created locally during the MySQLRouter K8s installation.