MySQL Router K8s Tutorial - Enable Security

charm
, , ,
1

This is part of the Charmed MySQLRouter K8s Tutorial. Please refer to this page for more information and the overview of the content.

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MySQL Router K8s so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed MySQL Router K8s with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your MySQL Router K8s deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.

Enable TLS

Before enabling TLS on Charmed MySQL Router K8s, we must first deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until self-signed-certificates is up and active with juju status --watch 1s to monitor the progress.

Model 	Controller  Cloud/Region    	Version  SLA      	Timestamp
database  k8s     	microk8s/localhost  3.1.8	unsupported  12:10:33Z

App                   	Version              	Status  Scale  Charm                 	Channel 	Rev  Address     	Exposed  Message
mysql-k8s             	8.0.35-0ubuntu0.22.04.1  active  	1  mysql-k8s             	8.0/stable  127  10.152.183.101  no  	 
mysql-router-k8s      	8.0.36-0ubuntu0.22.04.1  active  	1  mysql-router-k8s      	8.0/edge	102  10.152.183.92   no  	 
mysql-test-app        	0.0.2                	active  	1  mysql-test-app        	stable   	36  10.152.183.224  no  	 
self-signed-certificates                       	active  	1  self-signed-certificates  stable   	72  10.152.183.114  no  	 

Unit                     	Workload  Agent  Address   	Ports  Message
mysql-k8s/0*             	active	idle   10.1.241.252     	Primary
mysql-router-k8s/0*      	active	idle   10.1.241.253    	 
mysql-test-app/0*        	active	idle   10.1.241.254    	 
self-signed-certificates/0*  active	idle   10.1.241.255

To enable TLS on Charmed MySQLRouter K8s, integrate the two applications:

juju integrate mysql-router self-signed-certificates

Check the TLS certificate in use:

Use openssl to connect to MySQLRouter K8s in the juju machine, and check the TLS certificate in use:

ubuntu@localhost:~$ juju ssh mysql-router-k8s/0 "openssl s_client -showcerts -starttls mysql -connect 127.0.0.1:6446  < /dev/null  | openssl x509 -text | grep Issuer"
...
    	Issuer: C = US, CN = Tutorial CA
...

Congratulations! MySQLRouter K8s is now using a TLS certificate generated by the external application self-signed-certificates.

Disable TLS

To remove the external TLS and return to the locally generated one, unrelate the applications:

juju remove-relation mysql-router self-signed-certificates

Check the TLS certificate in use:

ubuntu@localhost:~$ juju ssh mysql-router-k8s/0 "openssl s_client -showcerts -starttls mysql -connect 127.0.0.1:6446  < /dev/null  | openssl x509 -text | grep Issuer"

The output should be similar to:

...
    	Issuer: CN = MySQL_Router_Auto_Generated_CA_Certificate
...

The Charmed MySQLRouter K8s application reverted to the placeholder certificate that was created locally during the MySQLRouter K8s installation.