This tutorial demonstrates how to enable TLS (Transport Layer Security) connections for RadonDB MySQL Operator.
Overview
RadonDB MySQL Operator adopts non-encrypted connections by default. However, information leakage may happen in case third-party tools able to sniff and monitor the network intercept data transferred between the server and client. Therefore, you are advised to enable the encrypted connection for security.
TLS connections are supported by the RadonDB MySQL Operator server and MySQL. For example, MySQL 5.7
supports TLS 1.0
, 1.1
, and 1.2
, while MySQL 8.0
supports TLS 1.0
, 1.1
, 1.2
, and 1.3
.
Two prerequisites for encrypted connection:
- The encrypted connection is enabled on the MySQL Operator server.
- The client adopts the encrypted connection.
Enable encrypted connection
Prepare certificates
ca.crt
- The CA certificate for the servertls.key
- The private key matching server certificatetls.crt
- Server certificate
The certificates and key can be generated by OpenSSL
, or simply by the mysql_ssl_rsa_setup
tool in MySQL
.
mysql_ssl_rsa_setup --datadir=/tmp/certs
The following files are generated:
certs
├── ca-key.pem
├── ca.pem
├── client-cert.pem
├── client-key.pem
├── private_key.pem
├── public_key.pem
├── server-cert.pem
└── server-key.pem
Create Secret with the certificate files
kubectl create secret generic sample-ssl --from-file=tls.crt=server.pem --
from-file=tls.key=server-key.pem --from-file=ca.crt=ca.pem --
type=kubernetes.io/tls
Configure the RadonDB MySQL cluster to use TLS
kubectl patch mysqlclusters.mysql.radondb.com sample --type=merge -p '{"spec":{"tlsSecretName":"sample-ssl"}}'
Note:
The configuration will trigger
rolling updates
and will thus restart the cluster.
Verification
- Non-SSL connection
kubectl exec -it sample-mysql-0 -c mysql -- mysql -uradondb_usr -p"RadonDB@123" -e "\s"
mysql Ver 14.14 Distrib 5.7.34-37, for Linux (x86_64) using 7.0
Connection id: 7940
Current database:
Current user: radondb_usr@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.34-37-log Percona Server (GPL), Release 37, Revision 7c516e9
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 21 hours 49 min 36 sec
Threads: 5 Questions: 181006 Slow queries: 0 Opens: 127 Flush tables: 1 Open tables: 120 Queries per second avg: 2.303
- SSL connection
kubectl exec -it sample-mysql-0 -c mysql -- mysql -uradondb_usr -p"RadonDB@123" --ssl-mode=REQUIRED -e "\s"
mysql: [Warning] Using a password on the command line interface can be insecure.
--------------
mysql Ver 14.14 Distrib 5.7.34-37, for Linux (x86_64) using 7.0
Connection id: 7938
Current database:
Current user: radondb_usr@localhost
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.34-37-log Percona Server (GPL), Release 37, Revision 7c516e9
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: latin1
Conn. characterset: latin1
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 21 hours 49 min 26 sec
Threads: 5 Questions: 180985 Slow queries: 0 Opens: 127 Flush tables: 1 Open tables: 120 Queries per second avg: 2.303