How to enable TLS encryption¶
This guide describes how to enable TLS using the self-signed-certificates operator as an example.
Caution
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Enable TLS¶
First, deploy the TLS charm:
juju deploy self-signed-certificates
To enable TLS, integrate it with your MySQL application:
juju relate self-signed-certificates mysql
juju relate self-signed-certificates mysql-k8s
Manage keys¶
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note that passing keys to external/internal keys should only be done with base64 -w0, not cat.
With three replicas, the following schema should be followed.
Generate a shared internal (private) key:
openssl genrsa -out internal-key.pem 3072
Apply the newly generated internal key on each juju unit:
juju run mysql/0 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run mysql/1 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run mysql/2 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run mysql-k8s/0 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run mysql-k8s/1 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run mysql-k8s/2 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
Juju 2.9 users
Remember that juju run <action name> becomes juju run-action <action name> --wait.
See also: Breaking changes between Juju 2.9 and 3
Updates can also be done with auto-generated keys:
juju run mysql/0 set-tls-private-key
juju run mysql/1 set-tls-private-key
juju run mysql/2 set-tls-private-key
juju run mysql-k8s/0 set-tls-private-key
juju run mysql-k8s/1 set-tls-private-key
juju run mysql-k8s/2 set-tls-private-key
Disable TLS¶
Disable TLS by removing the integration:
juju remove-relation self-signed-certificates mysql
juju remove-relation self-signed-certificates mysql-k8s