Mysql Router
- By MySQL Charm Maintainers
- Cloud
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 188 | 09 May 2024 | |
| 8.0/stable | 189 | 13 May 2024 | |
| dpe/candidate | 186 | 06 May 2024 | |
| dpe/beta | 186 | 02 May 2024 | |
| dpe/edge | 186 | 02 May 2024 | |
| 8.0.19/stable | 26 | 05 May 2022 | |
| 8.0.19/edge | 26 | 05 May 2022 |
juju deploy mysql-router --channel dpe/candidate
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
This is part of the Charmed MySQLRouter Tutorial. Please refer to this page for more information and the overview of the content
Enable encryption with TLS
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MySQLRouter so that configuring TLS requires minimal effort on your end.
TLS is enabled by integrating Charmed MySQLRouter with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this section, you will learn how to enable security in your MySQLRouter deployment using TLS encryption.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Enable TLS
Before enabling TLS on Charmed MySQLRouter, we must first deploy the self-signed-certificates charm:
juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until the self-signed-certificates is up and active, then use juju status –watch 1s to monitor the progress:
Model Controller Cloud/Region Version SLA Timestamp
database lxd localhost/localhost 3.1.8 unsupported 18:47:51Z
App Version Status Scale Charm Channel Rev Exposed Message
mysql 8.0.34-0ubun... active 1 mysql 8.0/stable 196 no
mysql-router 8.0.36-0ubun... active 1 mysql-router 103 no
mysql-test-app 0.0.2 active 1 mysql-test-app stable 36 no
self-signed-certificates active 1 self-signed-certificates stable 72 no
Unit Workload Agent Machine Public address Ports Message
mysql-test-app/0* active idle 1 10.205.193.227
mysql-router/0* active idle 10.205.193.227
mysql/0* active idle 0 10.205.193.171 3306,33060/tcp Primary
self-signed-certificates/0* active idle 2 10.205.193.175
Machine State Address Inst id Base AZ Message
0 started 10.205.193.171 juju-3c2f36-0 ubuntu@22.04 Running
1 started 10.205.193.227 juju-3c2f36-1 ubuntu@22.04 Running
2 started 10.205.193.175 juju-3c2f36-2 ubuntu@22.04 Running
To enable TLS on Charmed MySQLRouter, integrate the two applications:
juju integrate mysql-router self-signed-certificates
Check the TLS certificate in use:
Use openssl to connect to MySQLRouter in the juju machine, and check the TLS certificate in use:
ubuntu@localhost:~$ juju ssh mysql-router/0 "openssl s_client -showcerts -starttls mysql -unix /var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock < /dev/null | openssl x509 -text | grep Issuer"
...
Issuer: C = US, CN = Tutorial CA
...
Congratulations! MySQLRouter is now using a TLS certificate generated by the external application self-signed-certificates.
Disable TLS
To remove the external TLS and return to the locally generated one, unrelate the applications:
juju remove-relation mysql-router self-signed-certificatese
Check the TLS certificate in use:
ubuntu@localhost:~$ juju ssh mysql-router/0 "openssl s_client -showcerts -starttls mysql -unix /var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock < /dev/null | openssl x509 -text | grep Issuer"
The output should be similar to:
...
Issuer: CN = MySQL_Router_Auto_Generated_CA_Certificate
...
The Charmed MySQLRouter application reverted to the placeholder certificate that was created locally during the MySQLRouter installation.