| Bug #108544 | MySQL Operator unable to login using SSH | ||
|---|---|---|---|
| Submitted: | 19 Sep 2022 16:50 | Modified: | 29 Sep 2022 16:12 |
| Reporter: | Lucas Mellos Carlos | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Operator | Severity: | S1 (Critical) |
| Version: | 5.0.30 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | kubernetes, login, mysql-operator, SSL | ||
[29 Sep 2022 16:12]
MySQL Verification Team
Thank you for the report
[17 Feb 2023 15:04]
Andrey Hristov
Posted by developer:
Hi,
I tested and it worked for me.
Follows my config (self signed certs):
bash-4.4$ cat /tmp/ca.pem
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIUTfxHvAgJ77aLX/0//wpRT9uiLMYwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIVGVzdF9DQTEwIBcNMjMwMjE3MTQyNDQzWhgPMjEyMzAx
MjQxNDI0NDNaMBMxETAPBgNVBAMMCFRlc3RfQ0ExMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAveoMAoQKtS1/JvOHMRmPpa7vuddecpGiN+ZnMcUq1Ju2
UKOs2FigUAtcQXTvQ9hNDfdj+aZIi+dQGd+QXUq4c/xPKykaBLseDrNCLoQevBi/
s+5l8vi98WiWrkvITu/12sM6hmrgjQPKcoLPlQ5xgDrJy5XjBLPEEUElzcz0GXS7
8zpEi8uIukXQJ9foc2zvsErjHSSk17QrQxh5jTub5JNHSP7tvzfddiWPuGrbqex/
/lG4/zX7blnsLjVtFlwSAerH+8CNRIohRoWscTpMnkTgR7tlgjv0OEtn9kMlDMEV
UOheL90P+0B5gbluWSADZwQavYurt2JNV6o/TTB/mQIDAQABo1MwUTAdBgNVHQ4E
FgQU/xDE+UPtDB8Nm2ivnUUB8Rrzi4kwHwYDVR0jBBgwFoAU/xDE+UPtDB8Nm2iv
nUUB8Rrzi4kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGcrK
Ykt8eBxab2QqP0JTnyyDuANuIi0WU9OGY9Nzy8d97IuGM1TFA+nDUyGuG991GUUL
OgIMd44Uq8umCAIt2rfBWrXVNMwqaLNkiZ3fdKRJ+gWi3ohk/W1GWczhBJU6CwLe
VyEpA8J1r5UEpo/5etE9e5khLtvuL0T2ujJTC0FgqH8wYvi0w+KcaEK79az7KFbB
zw+y7EpwFo2Ybhu5WzDEMdxIWNl4rRfnduNPiAK5RMrFX2g9pLIseKlKlsJlsAgl
eYqfXFSEMKpKb1tX2Rune01pkL4R5TlKDjVBKZfAFtEhJI8n3vWKa3uOmnXrSSZm
3RmtkJfu/fDJ9hN4KA==
-----END CERTIFICATE-----
bash-4.4$ cat /tmp/tls.crt
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhUZXN0
X0NBMTAeFw0yMzAyMTcxNDI0NDNaFw0zMzAyMTQxNDI0NDNaMCgxEjAQBgNVBAMM
CW15Y2x1c3QzcjESMBAGA1UECgwJbXljbHVzdGVyMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3GJFG3An6/3d3jxN9lN9V/gM1NSEEgT0hVdgAR+S0GfZ
0AfywOmJgT4kNUJvUkE8fq+XcmcfdyMSqQIb+58xpv74OxygmnYvzZPyatWTH2LY
JtkdJxYR7/5rIQbmBbaGGsWbR1SN9dEjRDhf9oqHonxBbd11X4IQZuY+4sZn1+WM
+YbQjyPs3hJEqzlx3FzuFjohzy3r2DGfLR9l10G0Vn5Gcy5CQDCDqSNPpf6Mpoyl
UaRB4odtxqN6MO5aVxvNnp4v1N5uiQmxtJ7vDtsexink3NZHMyzAg9teBzoyH4Nx
OFEnyk1yPBt4DUtZPsbHodMSCFO8L0EsrDrWz3s5KwIDAQABo4HPMIHMMAwGA1Ud
EwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBQBgNVHREESTBHgi4qLm15Y2x1c3Rlci1pbnN0YW5jZXMuYW5kcmV5LnN2
Yy5jbHVzdGVyLmxvY2FsghUqLm15Y2x1c3Rlci1pbnN0YW5jZXMwHQYDVR0OBBYE
FBuUt7ce1+kP7xLJvoxxi1mJ61CZMB8GA1UdIwQYMBaAFP8QxPlD7QwfDZtor51F
AfEa84uJMA0GCSqGSIb3DQEBCwUAA4IBAQBy/cP5hHLnGvduqAq8ZHJaQ7gnZgAb
xp378NAVRMHuoQG/JKMKURmxFrPL6oZdAL5zKFlykodCQ8T+lLOEnw2ex0tPRFtM
kpRkiOTi2yu9B0dhSFV/GmZos9CKSa7BRyw4+X5tlwIvL5xx8UbjrRcB5V8Z4WF1
RmUxQOPHWNBQFOIXk8Ct5vL8bTrMP+vkLX3Epw/C+Il2kjDhwuCpkhjfwpHNsngX
fBU1AkMplXTnT89KSfH3Ddy0XAEZGYlf/qcefP6L8lldFMKzvsceDv3heiEFC9Fy
JoOFHduGVc96h9FwmPqdiE/fTUKH4XlpkJPrQafTUDGm5xLRas3cwT+b
-----END CERTIFICATE-----
bash-4.4$ cat /tmp/tls.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDcYkUbcCfr/d3e
PE32U31X+AzU1IQSBPSFV2ABH5LQZ9nQB/LA6YmBPiQ1Qm9SQTx+r5dyZx93IxKp
Ahv7nzGm/vg7HKCadi/Nk/Jq1ZMfYtgm2R0nFhHv/mshBuYFtoYaxZtHVI310SNE
OF/2ioeifEFt3XVfghBm5j7ixmfX5Yz5htCPI+zeEkSrOXHcXO4WOiHPLevYMZ8t
H2XXQbRWfkZzLkJAMIOpI0+l/oymjKVRpEHih23Go3ow7lpXG82eni/U3m6JCbG0
nu8O2x7GKeTc1kczLMCD214HOjIfg3E4USfKTXI8G3gNS1k+xseh0xIIU7wvQSys
OtbPezkrAgMBAAECggEAT4B74awSGsYYNcWXclcoDoYDSvvnMQDsnPWqQn17Xwc3
wh476m/VFPSv5y6yLgAurJz3i2O8LCRQ5PtH0Pva052DOv/WyCH+mLDYcMXfLyFf
TJRiOelySxuC1gVBEaqIsju7Cn5sP9NUX5XeuHe8+lbM269aWjv3YseIxBJC/9S5
76Vgyyg58ppvbZe/lF17XHhWVgBghZC2HqQdgn8oBx/4BKWlzOxFV+HcdvGWEYD5
MozNQ/Ce3qQHp+QNz+KTO1SqJxgGjasp6yLC516OMbGcu0pge5wDKE0PWBeh1UuQ
0gISeR8wOBPvwWDqCARbAhYgstnmuLO/LGJwuquFIQKBgQD5977B2+PIQfQeGkGH
mjZUU8DqFco/6lLilZSSWB3CJAYkemkckNK7zhVZCdxZJWr+tIBcfSzTImNr2ozm
2a0GKTFPzsxPMSb7/pQJ7h9OwU+OZCennDQdDg9NLMyKbdKpPnCRrhyWxDHoHJdx
YQSCnGsoMQw19EHAoKaR5RQ4swKBgQDhs8LP03FKf9+r8pUmOUKa84dJHE7VHsdJ
R14rSPLumWFhkeJg4yroL96Y2cnrOa0Ag7y/ryNvv5IhZVkuflEC3PctpIzaWXKq
CPqm/otJDcF4vmHJ/jk1oySqeJiOoKzWpF5GVjZBwmiZsWpjg5lkl2EVS3AMTG0R
0sdYMw6JqQKBgGPBVOU0haCjgXKJ8+DT0B6zFefVLlN3hgBaxWHpvGZ/zdu85jm6
Kf887RQNdVw2LI7dJeTDJ6JStO6T12tBL2WoBr/cvXhVG0Oxgw67cs8RIlim65Re
KAX4WG7qE+6iiVF1U6MvosUgIvKIhn9+wjgFiFYPzNmzUpI3CoJqszk1AoGAC7u7
ofA9EIFrUFYRGOabJtEING3LT1sFQzL5m0h0kKDapibeXOkSXvW2Hb4cuCTMcJ1o
n5JsRi/wWdoZ88fPUFXKZ84JIITL6DkFRs8u0IJtj2heTxDvSnGLw2z3iVqjAZmT
6RYsRejkZTEK9ddujwMrod7FGW6TsPyDLnuhAtkCgYAk5wlodcRBBgO4BTTBZSt2
eva21OE5Bk1r/zM97lAjogWtdfnx+VYdX30uur9Psz+Dy/nVgTOFIhXabmmqqqCy
VxfINM4lWmozK2mv/1D7c31VEr/T3rEA1a4QQfoC8gbnqfJl+7WprNUH6dS/2PZM
3i4gscd0YfGRsTi4E4Ml6A==
-----END PRIVATE KEY-----
bash-4.4$ openssl x509 -in ca.pem --text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:fc:47:bc:08:09:ef:b6:8b:5f:fd:3f:ff:0a:51:4f:db:a2:2c:c6
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Test_CA1
Validity
Not Before: Feb 17 14:24:43 2023 GMT
Not After : Jan 24 14:24:43 2123 GMT
Subject: CN = Test_CA1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:ea:0c:02:84:0a:b5:2d:7f:26:f3:87:31:19:
8f:a5:ae:ef:b9:d7:5e:72:91:a2:37:e6:67:31:c5:
2a:d4:9b:b6:50:a3:ac:d8:58:a0:50:0b:5c:41:74:
ef:43:d8:4d:0d:f7:63:f9:a6:48:8b:e7:50:19:df:
90:5d:4a:b8:73:fc:4f:2b:29:1a:04:bb:1e:0e:b3:
42:2e:84:1e:bc:18:bf:b3:ee:65:f2:f8:bd:f1:68:
96:ae:4b:c8:4e:ef:f5:da:c3:3a:86:6a:e0:8d:03:
ca:72:82:cf:95:0e:71:80:3a:c9:cb:95:e3:04:b3:
c4:11:41:25:cd:cc:f4:19:74:bb:f3:3a:44:8b:cb:
88:ba:45:d0:27:d7:e8:73:6c:ef:b0:4a:e3:1d:24:
a4:d7:b4:2b:43:18:79:8d:3b:9b:e4:93:47:48:fe:
ed:bf:37:dd:76:25:8f:b8:6a:db:a9:ec:7f:fe:51:
b8:ff:35:fb:6e:59:ec:2e:35:6d:16:5c:12:01:ea:
c7:fb:c0:8d:44:8a:21:46:85:ac:71:3a:4c:9e:44:
e0:47:bb:65:82:3b:f4:38:4b:67:f6:43:25:0c:c1:
15:50:e8:5e:2f:dd:0f:fb:40:79:81:b9:6e:59:20:
03:67:04:1a:bd:8b:ab:b7:62:4d:57:aa:3f:4d:30:
7f:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FF:10:C4:F9:43:ED:0C:1F:0D:9B:68:AF:9D:45:01:F1:1A:F3:8B:89
X509v3 Authority Key Identifier:
FF:10:C4:F9:43:ED:0C:1F:0D:9B:68:AF:9D:45:01:F1:1A:F3:8B:89
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
19:ca:ca:62:4b:7c:78:1c:5a:6f:64:2a:3f:42:53:9f:2c:83:
b8:03:6e:22:2d:16:53:d3:86:63:d3:73:cb:c7:7d:ec:8b:86:
33:54:c5:03:e9:c3:53:21:ae:1b:df:75:19:45:0b:3a:02:0c:
77:8e:14:ab:cb:a6:08:02:2d:da:b7:c1:5a:b5:d5:34:cc:2a:
68:b3:64:89:9d:df:74:a4:49:fa:05:a2:de:88:64:fd:6d:46:
59:cc:e1:04:95:3a:0b:02:de:57:21:29:03:c2:75:af:95:04:
a6:8f:f9:7a:d1:3d:7b:99:21:2e:db:ee:2f:44:f6:ba:32:53:
0b:41:60:a8:7f:30:62:f8:b4:c3:e2:9c:68:42:bb:f5:ac:fb:
28:56:c1:cf:0f:b2:ec:4a:70:16:8d:98:6e:1b:b9:5b:30:c4:
31:dc:48:58:d9:78:ad:17:e7:76:e3:4f:88:02:b9:44:ca:c5:
5f:68:3d:a4:b2:2c:78:a9:4a:96:c2:65:b0:08:25:79:8a:9f:
5c:54:84:30:aa:4a:6f:5b:57:d9:1b:a7:7b:4d:69:90:be:11:
e5:39:4a:0e:35:41:29:97:c0:16:d1:21:24:8f:27:de:f5:8a:
6b:7b:8e:9a:75:eb:49:26:66:dd:19:ad:90:97:ee:fd:f0:c9:
f6:13:78:28
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIUTfxHvAgJ77aLX/0//wpRT9uiLMYwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIVGVzdF9DQTEwIBcNMjMwMjE3MTQyNDQzWhgPMjEyMzAx
MjQxNDI0NDNaMBMxETAPBgNVBAMMCFRlc3RfQ0ExMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAveoMAoQKtS1/JvOHMRmPpa7vuddecpGiN+ZnMcUq1Ju2
UKOs2FigUAtcQXTvQ9hNDfdj+aZIi+dQGd+QXUq4c/xPKykaBLseDrNCLoQevBi/
s+5l8vi98WiWrkvITu/12sM6hmrgjQPKcoLPlQ5xgDrJy5XjBLPEEUElzcz0GXS7
8zpEi8uIukXQJ9foc2zvsErjHSSk17QrQxh5jTub5JNHSP7tvzfddiWPuGrbqex/
/lG4/zX7blnsLjVtFlwSAerH+8CNRIohRoWscTpMnkTgR7tlgjv0OEtn9kMlDMEV
UOheL90P+0B5gbluWSADZwQavYurt2JNV6o/TTB/mQIDAQABo1MwUTAdBgNVHQ4E
FgQU/xDE+UPtDB8Nm2ivnUUB8Rrzi4kwHwYDVR0jBBgwFoAU/xDE+UPtDB8Nm2iv
nUUB8Rrzi4kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGcrK
Ykt8eBxab2QqP0JTnyyDuANuIi0WU9OGY9Nzy8d97IuGM1TFA+nDUyGuG991GUUL
OgIMd44Uq8umCAIt2rfBWrXVNMwqaLNkiZ3fdKRJ+gWi3ohk/W1GWczhBJU6CwLe
VyEpA8J1r5UEpo/5etE9e5khLtvuL0T2ujJTC0FgqH8wYvi0w+KcaEK79az7KFbB
zw+y7EpwFo2Ybhu5WzDEMdxIWNl4rRfnduNPiAK5RMrFX2g9pLIseKlKlsJlsAgl
eYqfXFSEMKpKb1tX2Rune01pkL4R5TlKDjVBKZfAFtEhJI8n3vWKa3uOmnXrSSZm
3RmtkJfu/fDJ9hN4KA==
-----END CERTIFICATE-----
bash-4.4$ openssl x509 -in tls.crt --text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Test_CA1
Validity
Not Before: Feb 17 14:24:43 2023 GMT
Not After : Feb 14 14:24:43 2033 GMT
Subject: CN = myclust3r, O = mycluster
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:62:45:1b:70:27:eb:fd:dd:de:3c:4d:f6:53:
7d:57:f8:0c:d4:d4:84:12:04:f4:85:57:60:01:1f:
92:d0:67:d9:d0:07:f2:c0:e9:89:81:3e:24:35:42:
6f:52:41:3c:7e:af:97:72:67:1f:77:23:12:a9:02:
1b:fb:9f:31:a6:fe:f8:3b:1c:a0:9a:76:2f:cd:93:
f2:6a:d5:93:1f:62:d8:26:d9:1d:27:16:11:ef:fe:
6b:21:06:e6:05:b6:86:1a:c5:9b:47:54:8d:f5:d1:
23:44:38:5f:f6:8a:87:a2:7c:41:6d:dd:75:5f:82:
10:66:e6:3e:e2:c6:67:d7:e5:8c:f9:86:d0:8f:23:
ec:de:12:44:ab:39:71:dc:5c:ee:16:3a:21:cf:2d:
eb:d8:31:9f:2d:1f:65:d7:41:b4:56:7e:46:73:2e:
42:40:30:83:a9:23:4f:a5:fe:8c:a6:8c:a5:51:a4:
41:e2:87:6d:c6:a3:7a:30:ee:5a:57:1b:cd:9e:9e:
2f:d4:de:6e:89:09:b1:b4:9e:ef:0e:db:1e:c6:29:
e4:dc:d6:47:33:2c:c0:83:db:5e:07:3a:32:1f:83:
71:38:51:27:ca:4d:72:3c:1b:78:0d:4b:59:3e:c6:
c7:a1:d3:12:08:53:bc:2f:41:2c:ac:3a:d6:cf:7b:
39:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.mycluster-instances.andrey.svc.cluster.local, DNS:*.mycluster-instances
X509v3 Subject Key Identifier:
1B:94:B7:B7:1E:D7:E9:0F:EF:12:C9:BE:8C:71:8B:59:89:EB:50:99
X509v3 Authority Key Identifier:
FF:10:C4:F9:43:ED:0C:1F:0D:9B:68:AF:9D:45:01:F1:1A:F3:8B:89
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
72:fd:c3:f9:84:72:e7:1a:f7:6e:a8:0a:bc:64:72:5a:43:b8:
27:66:00:1b:c6:9d:fb:f0:d0:15:44:c1:ee:a1:01:bf:24:a3:
0a:51:19:b1:16:b3:cb:ea:86:5d:00:be:73:28:59:72:92:87:
42:43:c4:fe:94:b3:84:9f:0d:9e:c7:4b:4f:44:5b:4c:92:94:
64:88:e4:e2:db:2b:bd:07:47:61:48:55:7f:1a:66:68:b3:d0:
8a:49:ae:c1:47:2c:38:f9:7e:6d:97:02:2f:2f:9c:71:f1:46:
e3:ad:17:01:e5:5f:19:e1:61:75:46:65:31:40:e3:c7:58:d0:
50:14:e2:17:93:c0:ad:e6:f2:fc:6d:3a:cc:3f:eb:e4:2d:7d:
c4:a7:0f:c2:f8:89:76:92:30:e1:c2:e0:a9:92:18:df:c2:91:
cd:b2:78:17:7c:15:35:02:43:29:95:74:e7:4f:cf:4a:49:f1:
f7:0d:dc:b4:5c:01:19:19:89:5f:fe:a7:1e:7c:fe:8b:f2:59:
5d:14:c2:b3:be:c7:1e:0e:fd:e1:7a:21:05:0b:d1:72:26:83:
85:1d:db:86:55:cf:7a:87:d1:70:98:fa:9d:88:4f:df:4d:42:
87:e1:79:69:90:93:eb:41:a7:d3:50:31:a6:e7:12:d1:6a:cd:
dc:c1:3f:9b
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhUZXN0
X0NBMTAeFw0yMzAyMTcxNDI0NDNaFw0zMzAyMTQxNDI0NDNaMCgxEjAQBgNVBAMM
CW15Y2x1c3QzcjESMBAGA1UECgwJbXljbHVzdGVyMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3GJFG3An6/3d3jxN9lN9V/gM1NSEEgT0hVdgAR+S0GfZ
0AfywOmJgT4kNUJvUkE8fq+XcmcfdyMSqQIb+58xpv74OxygmnYvzZPyatWTH2LY
JtkdJxYR7/5rIQbmBbaGGsWbR1SN9dEjRDhf9oqHonxBbd11X4IQZuY+4sZn1+WM
+YbQjyPs3hJEqzlx3FzuFjohzy3r2DGfLR9l10G0Vn5Gcy5CQDCDqSNPpf6Mpoyl
UaRB4odtxqN6MO5aVxvNnp4v1N5uiQmxtJ7vDtsexink3NZHMyzAg9teBzoyH4Nx
OFEnyk1yPBt4DUtZPsbHodMSCFO8L0EsrDrWz3s5KwIDAQABo4HPMIHMMAwGA1Ud
EwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBQBgNVHREESTBHgi4qLm15Y2x1c3Rlci1pbnN0YW5jZXMuYW5kcmV5LnN2
Yy5jbHVzdGVyLmxvY2FsghUqLm15Y2x1c3Rlci1pbnN0YW5jZXMwHQYDVR0OBBYE
FBuUt7ce1+kP7xLJvoxxi1mJ61CZMB8GA1UdIwQYMBaAFP8QxPlD7QwfDZtor51F
AfEa84uJMA0GCSqGSIb3DQEBCwUAA4IBAQBy/cP5hHLnGvduqAq8ZHJaQ7gnZgAb
xp378NAVRMHuoQG/JKMKURmxFrPL6oZdAL5zKFlykodCQ8T+lLOEnw2ex0tPRFtM
kpRkiOTi2yu9B0dhSFV/GmZos9CKSa7BRyw4+X5tlwIvL5xx8UbjrRcB5V8Z4WF1
RmUxQOPHWNBQFOIXk8Ct5vL8bTrMP+vkLX3Epw/C+Il2kjDhwuCpkhjfwpHNsngX
fBU1AkMplXTnT89KSfH3Ddy0XAEZGYlf/qcefP6L8lldFMKzvsceDv3heiEFC9Fy
JoOFHduGVc96h9FwmPqdiE/fTUKH4XlpkJPrQafTUDGm5xLRas3cwT+b
-----END CERTIFICATE-----
mysql> create user 'cn_user'@'%' IDENTIFIED BY 'sakila' REQUIRE SUBJECT '/CN=myclust3r/O=mycluster';
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on *.* to 'cn_user'@'%' with grant option;
Query OK, 0 rows affected (0.01 sec)
bash-4.4$ mysqlsh --sqlc -ucn_user -psakila --ssl-mode=VERIFY_IDENTITY --host mycluster-0.mycluster-instances.andrey.svc.cluster.local --ssl-ca=/tmp/ca.pem --ssl-cert=/tmp/tls.crt --ssl-key=/tmp/tls.key --tls-version=TLSv1.3
MySQL Shell 8.0.33
Copyright (c) 2016, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.
Type '\help' or '\?' for help; '\quit' to exit.
WARNING: Using a password on the command line interface can be insecure.
Creating a Classic session to 'cn_user@mycluster-0.mycluster-instances.andrey.svc.cluster.local?ssl-ca=%2Ftmp%2Fca.pem&ssl-cert=%2Ftmp%2Ftls.crt&ssl-key=%2Ftmp%2Ftls.key&ssl-mode=verify_identity&tls-version=TLSv1.3'
Fetching global names for auto-completion... Press ^C to stop.
Your MySQL connection id is 4359
Server version: 8.0.31 MySQL Community Server - GPL
No default schema selected; type \use <schema> to set one.
MySQL mycluster-0.mycluster-instances.andrey.svc.cluster.local:3306 ssl SQL > select version();
+-----------+
| version() |
+-----------+
| 8.0.31 |
+-----------+
1 row in set (0.0010 sec)
Description: The MySQL operator isn't capable of allowing logins using TLS certs. Whenever the database admin tries to log in it doesn't allow it. How to repeat: Install MySQL-Operator with the following helm configs. tls: useSelfSigned: false caSecretName: "mysql-ca" serverCertAndPKsecretName: "mysql-licensing-tls" routerCertAndPKsecretName: "mysql-licensing-tls" Commands to create a new user CREATE USER 'alice'@'%' REQUIRE SUBJECT '/CN=alice'; GRANT ALL ON `%`.* TO 'alice'@'%'; Use a self-hosted TLS cert with subject CN=alice