Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
c
cool-ocean-71403
06/17/2022, 4:38 AM@creamy-pencil-82913 I have a mysql8.0.29 server setup on my aws ec2 which has been configured with require_secure_transport = ON and ssl related files. I have an user configured for k3s with REQUIRE SSL option. Now what steps I need to take to make a secure TLS connection from my k3s master node to this database server? I am a bit confused and clueless here.
c
creamy-pencil-82913
06/17/2022, 4:40 AMhave you tried the parameters listed here? https://rancher.com/docs/k3s/latest/en/installation/datastore/#external-datastore-configuration-parameters
c
cool-ocean-71403
06/17/2022, 4:44 AMI am not sure which parameters I need to use and also what files should I put on those locations and from where should I get those certificate files.
c
creamy-pencil-82913
06/17/2022, 4:46 AMif you’re using a self-signed CA on the database server you’d need to have a copy of that CA certificate on the node, and point the --datastore-cafile at it. If you’re using client certificates for authentication to the datastore, you will need the client cert and key for the --datastore-certfile and --datastore-keyfile. If you have a real certificate for the server, and are just using password auth, you don’t need any of this.
c
cool-ocean-71403
06/17/2022, 4:52 AMHow do I know if my certificate is self-signed or real one? I just installed mysql on centos and then the mysql server auto generated the certificates required for me. So, this is self signed right?
So, in this case I copy only the server-cert.pem file to the k3s master node and point it using that cafile parameter?
I am not even sure if I am using client certificates authentication or not. What is the best approach here in terms of security and TLS? Should I use client certificates? If so, how? generate them at the client side? or copy the client-certs from the mysql server itself?
c
creamy-pencil-82913
06/17/2022, 4:56 AMit looks like you could probably use ca.pem for the cafile, and client-cert.pem and client-cert.key for certfile and keyfile. I’m not a mysql expert though.
c
cool-ocean-71403
06/17/2022, 4:59 AMSo, using these 3 files in the k3s master node setup can provide secure TLS connection from the k3s master to the mysql datastore? Do you think that will be the best approach here in terms of security?
c
creamy-pencil-82913
06/17/2022, 5:07 AMyeah worth a try!
c
cool-ocean-71403
06/17/2022, 5:11 AMAlright giving it a try. Let's see what happens.
@creamy-pencil-82913 It worked but with a little bit of problem. I have two mysql servers on master-master replication mode. And I have a network load balancer for those two database servers. So, when I use the network load balancer IP in k3s datastore, it is only able to properly connect to only one of those mysql server whose ssl related files I provided. It is not able to connect to the other one whose ssl files I cannot provide because k3s allows only one CA, Key and Cert files. Is there any way this can be extended to two or multiples files to make this thing work?
c
creamy-pencil-82913
06/18/2022, 5:38 PMUse the same root CA on both servers.
c
cool-ocean-71403
06/19/2022, 1:29 AM@creamy-pencil-82913 Will the mysql server start if I change the ca.pem files now? Should I just copy all the pem files from db1 to db2 and then restart db2? Will it conflict anything?
Nevermind, it worked perfectly fine. I just copied the same pem files to another server and restarted that mysql server. Now everything working perfectly including the loadbalancer.
Thanks for the help @creamy-pencil-82913