MySQL Router Tutorial - Enable Security

This is part of the Charmed MySQLRouter Tutorial. Please refer to this page for more information and the overview of the content

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MySQLRouter so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed MySQLRouter with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your MySQLRouter deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.


Enable TLS

Before enabling TLS on Charmed MySQLRouter, we must first deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until the self-signed-certificates is up and active, then use juju status –watch 1s to monitor the progress:

Model 	Controller  Cloud/Region     	Version  SLA      	Timestamp
database  lxd     	localhost/localhost  3.1.8	unsupported  18:47:51Z

App                   	Version      	Status  Scale  Charm                 	Channel 	Rev  Exposed  Message
mysql                 	8.0.34-0ubun...  active  	1  mysql                 	8.0/stable  196  no  	 
mysql-router          	8.0.36-0ubun...  active  	1  mysql-router                        	103  no  	 
mysql-test-app        	0.0.2        	active  	1  mysql-test-app        	stable   	36  no  	 
self-signed-certificates               	active  	1  self-signed-certificates  stable   	72  no  	 

Unit                     	Workload  Agent  Machine  Public address  Ports       	Message
mysql-test-app/0*        	active	idle   1    	10.205.193.227             	 
  mysql-router/0*        	active	idle        	10.205.193.227             	 
mysql/0*                 	active	idle   0    	10.205.193.171  3306,33060/tcp  Primary
self-signed-certificates/0*  active	idle   2    	10.205.193.175             	 

Machine  State	Address     	Inst id    	Base      	AZ  Message
0    	started  10.205.193.171  juju-3c2f36-0  ubuntu@22.04  	Running
1    	started  10.205.193.227  juju-3c2f36-1  ubuntu@22.04  	Running
2    	started  10.205.193.175  juju-3c2f36-2  ubuntu@22.04  	Running

To enable TLS on Charmed MySQLRouter, integrate the two applications:

juju integrate mysql-router self-signed-certificates

Check the TLS certificate in use:

Use openssl to connect to MySQLRouter in the juju machine, and check the TLS certificate in use:

ubuntu@localhost:~$ juju ssh mysql-router/0 "openssl s_client -showcerts -starttls mysql -unix /var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock < /dev/null  | openssl x509 -text | grep Issuer"
...
    	Issuer: C = US, CN = Tutorial CA
...

Congratulations! MySQLRouter is now using a TLS certificate generated by the external application self-signed-certificates.

Disable TLS

To remove the external TLS and return to the locally generated one, unrelate the applications:

juju remove-relation mysql-router self-signed-certificatese

Check the TLS certificate in use:

ubuntu@localhost:~$ juju ssh mysql-router/0 "openssl s_client -showcerts -starttls mysql -unix /var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock < /dev/null  | openssl x509 -text | grep Issuer"

The output should be similar to:

...
    	Issuer: CN = MySQL_Router_Auto_Generated_CA_Certificate
...

The Charmed MySQLRouter application reverted to the placeholder certificate that was created locally during the MySQLRouter installation.