< creamy pencil 82913> I have a mysql8 0 29 server setup on rancher-users #k3s

Title

# k3s

cool-ocean-71403

06/17/2022, 4:38 AM

@creamy-pencil-82913 I have a mysql8.0.29 server setup on my aws ec2 which has been configured with require_secure_transport = ON and ssl related files. I have an user configured for k3s with REQUIRE SSL option. Now what steps I need to take to make a secure TLS connection from my k3s master node to this database server? I am a bit confused and clueless here.

creamy-pencil-82913

06/17/2022, 4:40 AM

have you tried the parameters listed here? https://rancher.com/docs/k3s/latest/en/installation/datastore/#external-datastore-configuration-parameters

cool-ocean-71403

06/17/2022, 4:44 AM

I am not sure which parameters I need to use and also what files should I put on those locations and from where should I get those certificate files.

creamy-pencil-82913

06/17/2022, 4:46 AM

if you’re using a self-signed CA on the database server you’d need to have a copy of that CA certificate on the node, and point the --datastore-cafile at it. If you’re using client certificates for authentication to the datastore, you will need the client cert and key for the --datastore-certfile and --datastore-keyfile. If you have a real certificate for the server, and are just using password auth, you don’t need any of this.

cool-ocean-71403

06/17/2022, 4:52 AM

How do I know if my certificate is self-signed or real one? I just installed mysql on centos and then the mysql server auto generated the certificates required for me. So, this is self signed right? So, in this case I copy only the server-cert.pem file to the k3s master node and point it using that cafile parameter?

I am not even sure if I am using client certificates authentication or not. What is the best approach here in terms of security and TLS? Should I use client certificates? If so, how? generate them at the client side? or copy the client-certs from the mysql server itself?

creamy-pencil-82913

06/17/2022, 4:56 AM

it looks like you could probably use ca.pem for the cafile, and client-cert.pem and client-cert.key for certfile and keyfile. I’m not a mysql expert though.

cool-ocean-71403

06/17/2022, 4:59 AM

So, using these 3 files in the k3s master node setup can provide secure TLS connection from the k3s master to the mysql datastore? Do you think that will be the best approach here in terms of security?

creamy-pencil-82913

06/17/2022, 5:07 AM

yeah worth a try!

cool-ocean-71403

06/17/2022, 5:11 AM

Alright giving it a try. Let's see what happens.

@creamy-pencil-82913 It worked but with a little bit of problem. I have two mysql servers on master-master replication mode. And I have a network load balancer for those two database servers. So, when I use the network load balancer IP in k3s datastore, it is only able to properly connect to only one of those mysql server whose ssl related files I provided. It is not able to connect to the other one whose ssl files I cannot provide because k3s allows only one CA, Key and Cert files. Is there any way this can be extended to two or multiples files to make this thing work?

creamy-pencil-82913

06/18/2022, 5:38 PM

Use the same root CA on both servers.

cool-ocean-71403

06/19/2022, 1:29 AM

@creamy-pencil-82913 Will the mysql server start if I change the ca.pem files now? Should I just copy all the pem files from db1 to db2 and then restart db2? Will it conflict anything?

Nevermind, it worked perfectly fine. I just copied the same pem files to another server and restarted that mysql server. Now everything working perfectly including the loadbalancer.

Thanks for the help @creamy-pencil-82913

2 Views