Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Note: All commands are written for juju >= v.3.1

If you’re using juju 2.9, check the juju 3.0 Release Notes.

How to enable encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.


Enable TLS

First, deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS on MySQL, integrate the two applications:

juju integrate self-signed-certificates mysql-k8s

Manage keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note that passing keys to external/internal keys should only be done with base64 -w0, not cat.

With three replicas, this schema should be followed:

Generate a shared internal (private) key

openssl genrsa -out internal-key.pem 3072

Apply the newly generated internal key on each juju unit:

juju run-action mysql-k8s/0 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)" --wait
juju run-action mysql-k8s/1 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)" --wait
juju run-action mysql-k8s/2 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)" --wait

Updates can also be done with auto-generated keys:

juju run-action mysql-k8s/0 set-tls-private-key --wait
juju run-action mysql-k8s/1 set-tls-private-key --wait
juju run-action mysql-k8s/2 set-tls-private-key --wait

Disable TLS

Disable TLS by removing the integration:

juju remove-relation tls-certificates-operator mysql-k8s

Last updated 8 months ago. Help improve this document in the forum.