This message was deleted.
# k3sa
adamant-kite-43734
06/17/2022, 4:38 AMThis message was deleted.
c
creamy-pencil-82913
06/17/2022, 4:40 AMhave you tried the parameters listed here? https://rancher.com/docs/k3s/latest/en/installation/datastore/#external-datastore-configuration-parameters
c
cool-ocean-71403
06/17/2022, 4:44 AMI am not sure which parameters I need to use and also what files should I put on those locations and from where should I get those certificate files.
c
creamy-pencil-82913
06/17/2022, 4:46 AMif you’re using a self-signed CA on the database server you’d need to have a copy of that CA certificate on the node, and point the --datastore-cafile at it. If you’re using client certificates for authentication to the datastore, you will need the client cert and key for the --datastore-certfile and --datastore-keyfile. If you have a real certificate for the server, and are just using password auth, you don’t need any of this.
c
cool-ocean-71403
06/17/2022, 4:52 AMHow do I know if my certificate is self-signed or real one? I just installed mysql on centos and then the mysql server auto generated the certificates required for me. So, this is self signed right?
So, in this case I copy only the server-cert.pem file to the k3s master node and point it using that cafile parameter?
cool-ocean-71403
06/17/2022, 4:54 AMI am not even sure if I am using client certificates authentication or not. What is the best approach here in terms of security and TLS? Should I use client certificates? If so, how? generate them at the client side? or copy the client-certs from the mysql server itself?
c
creamy-pencil-82913
06/17/2022, 4:56 AMit looks like you could probably use ca.pem for the cafile, and client-cert.pem and client-cert.key for certfile and keyfile. I’m not a mysql expert though.
c
cool-ocean-71403
06/17/2022, 4:59 AMSo, using these 3 files in the k3s master node setup can provide secure TLS connection from the k3s master to the mysql datastore? Do you think that will be the best approach here in terms of security?
c
creamy-pencil-82913
06/17/2022, 5:07 AMyeah worth a try!
c
cool-ocean-71403
06/17/2022, 5:11 AMAlright giving it a try. Let's see what happens.
cool-ocean-71403
06/18/2022, 3:35 PM@creamy-pencil-82913 It worked but with a little bit of problem. I have two mysql servers on master-master replication mode. And I have a network load balancer for those two database servers. So, when I use the network load balancer IP in k3s datastore, it is only able to properly connect to only one of those mysql server whose ssl related files I provided. It is not able to connect to the other one whose ssl files I cannot provide because k3s allows only one CA, Key and Cert files. Is there any way this can be extended to two or multiples files to make this thing work?
c
creamy-pencil-82913
06/18/2022, 5:38 PMUse the same root CA on both servers.
c
cool-ocean-71403
06/19/2022, 1:29 AM@creamy-pencil-82913 Will the mysql server start if I change the ca.pem files now? Should I just copy all the pem files from db1 to db2 and then restart db2? Will it conflict anything?
cool-ocean-71403
06/19/2022, 7:14 AMNevermind, it worked perfectly fine. I just copied the same pem files to another server and restarted that mysql server. Now everything working perfectly including the loadbalancer.
cool-ocean-71403
06/19/2022, 7:14 AMThanks for the help @creamy-pencil-82913
3 Views