Charmed MySQL
- Canonical
- Cloud
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| 8.0/stable | 313 | 03 Dec 2024 | |
| 8.0/stable | 312 | 03 Dec 2024 | |
| 8.0/candidate | 313 | 02 Dec 2024 | |
| 8.0/candidate | 312 | 02 Dec 2024 | |
| 8.0/beta | 313 | 02 Dec 2024 | |
| 8.0/beta | 312 | 02 Dec 2024 | |
| 8.0/edge | 353 | 18 Feb 2025 | |
| 8.0/edge | 352 | 18 Feb 2025 |
juju deploy mysql --channel 8.0/stable
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Security hardening guide
This document provides an overview of security features and guidance for hardening the security of Charmed MySQL deployments, including setting up and managing a secure environment.
Environment
The environment where Charmed MySQL operates can be divided into two components:
- Cloud
- Juju
Cloud
Charmed MySQL can be deployed on top of several clouds and virtualisation layers:
Juju
Juju is the component responsible for orchestrating the entire lifecycle, from deployment to Day 2 operations. For more information on Juju security hardening, see the Juju security page and the How to harden your deployment guide.
Cloud credentials
When configuring cloud credentials to be used with Juju, ensure that users have the correct permissions to operate at the required level. Juju superusers responsible for bootstrapping and managing controllers require elevated permissions to manage several kinds of resources, such as virtual machines, networks, storages, etc. Please refer to the links below for more information on the policies required to be used depending on the cloud.
| Cloud | Cloud user policies |
|---|---|
| OpenStack | OpenStack cloud and Juju |
| AWS | Juju AWS Permission, AWS Instance Profiles, Juju on AWS |
| Azure | Juju Azure Permission, How to use Juju with Microsoft Azure |
| GCP | Google GCE cloud and Juju |
Juju users
It is very important that Juju users are set up with minimal permissions depending on the scope of their operations. Please refer to the User access levels documentation for more information on the access levels and corresponding abilities.
Juju user credentials must be stored securely and rotated regularly to limit the chances of unauthorized access due to credentials leakage.
Applications
In the following, we provide guidance on how to harden your deployment using:
- Operating system
- Security upgrades
- Encryption
- Authentication
- Monitoring and auditing
Operating system
Charmed MySQL and Charmed MySQL Router run on top of Ubuntu 22.04. Deploy a Landscape Client Charm to connect the underlying VM to a Landscape User Account to manage security upgrades and integrate Ubuntu Pro subscriptions.
Security upgrades
Charmed MySQL operator and Charmed MySQL Router operator install a pinned revision of the Charmed MySQL snap to provide reproducible and secure environments.
New versions (revisions) of charmed operators can be released to upgrade workloads, the operator’s code, or both. It is important to refresh the charm regularly to make sure the workload is as secure as possible.
For more information on upgrading the charm, see the How to upgrade MySQL and How to upgrade MySQL Router guides, as well as the Release notes.
Encryption
By default, encryption is optional for both external connections and internal communication between cluster members. To enforce encryption in transit, integrate Charmed MySQL with a TLS certificate provider. Please refer to the Charming Security page for more information on how to select the right certificate provider for your use case.
Encryption in transit for backups is provided by the storage (Charmed MySQL is a client for the S3 storage).
For more information on encryption, see the Cryptography explanation page and How to enable encryption guide.
Authentication
Charmed MySQL uses the caching_sha2_password plugin for authentication.
Monitoring and auditing
Charmed MySQL provides native integration with the Canonical Observability Stack (COS). To reduce the blast radius of infrastructure disruptions, the general recommendation is to deploy COS and the observed application into separate environments, isolated from one another. Refer to the COS production deployments best practices for more information.
For instructions, see the How to enable monitoring, How to enable alert rules, and How to enable tracing guides.
The Audit log plugin is enabled by default and produces login/logout logs. See the Audit Logs guide for further configuration. These logs are stored in the /var/snap/charmed-mysql/common/var/log/mysql directory of the MySQL container and are rotated every minute to the /var/snap/charmed-mysql/common/var/log/mysql/archive_audit directory. It’s recommended to integrate the charm with COS, from where the logs can be easily persisted and queried using Loki/Grafana.
Additional Resources
For details on the cryptography used by Charmed MySQL, see the Cryptography explanation page.