Bug #109357 TLS/SSL Certificates with MySQL Operator now working
Submitted: 13 Dec 2022 7:11 Modified: 13 Dec 2022 12:55
Reporter: Dileep AP Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:Mysql Operator 8.0.31 OS:Ubuntu
Assigned to: MySQL Verification Team CPU Architecture:x86

[13 Dec 2022 7:11] Dileep AP
Description:
Kubernetes - microk8s
Version - v1.23
MySql Operator - 8.0.31
Note : 
-rw-rw-r-- 1 baa baa 1399 Dec  9 12:47 ca.pem
-rw-rw-r-- 1 baa baa 1253 Dec  9 13:02 router-cert.pem
-rw-rw-r-- 1 baa baa 1675 Dec  9 13:02 router-key.pem
-rw-rw-r-- 1 baa baa 1253 Dec  9 12:49 server-cert.pem
-rw-rw-r-- 1 baa baa 1675 Dec  9 12:49 server-key.pem

server-cert.pem & router-cert.pem are same certs with different names
server-key.pem & router-key.pem are same keys with the different names

I have configured my own (Self created) TLS Certificates, with below procedure.
2.2 When you have own CA and TLS certificates
        export NAMESPACE="your-namespace"
        export CLUSTER_NAME="my-mysql-innodbcluster"
        export CA_SECRET="${CLUSTER_NAME}-ca-secret"
        export TLS_SECRET="${CLUSTER_NAME}-tls-secret"
        export ROUTER_TLS_SECRET="${CLUSTER_NAME}-router-tls-secret"
        # Path to ca.pem, server-cert.pem, server-key.pem, router-cert.pem and router-key.pem
        export CERT_PATH="/path/to/your/ca_and_tls_certificates"

        kubectl create namespace $NAMESPACE

        kubectl create secret generic $CA_SECRET \
            --namespace=$NAMESPACE --dry-run=client --save-config -o yaml \
            --from-file=ca.pem=${CERT_PATH}/ca.pem \
        | kubectl apply -f -

        kubectl create secret tls $TLS_SECRET \
            --namespace=$NAMESPACE --dry-run=client --save-config -o yaml \
            --cert=${CERT_PATH}/server-cert.pem --key=${CERT_PATH}/server-key.pem \
        | kubectl apply -f -

        kubectl create secret tls $ROUTER_TLS_SECRET \
            --namespace=$NAMESPACE --dry-run=client --save-config -o yaml \
            --cert=${CERT_PATH}/router-cert.pem --key=${CERT_PATH}/router-key.pem \
        | kubectl apply -f -

        helm install my-mysql-innodbcluster mysql-operator/mysql-innodbcluster -n $NAMESPACE \
        --version 2.0.7 \
        --set credentials.root.password=">-0URS4F3P4SS" \
        --set tls.useSelfSigned=false \
        --set tls.caSecretName=$CA_SECRET \
        --set tls.serverCertAndPKsecretName=$TLS_SECRET \
        --set tls.routerCertAndPKsecretName=$ROUTER_TLS_SECRET
root@bhp-ha4-s4:/home/baa/mysql#

The router pod is not coming up and the stateful set is not showing ready. 

How to repeat:
Pls test with own CA certs, it is creating this issue.

The MySQL pod is showing below error.

2022-12-13T06:58:20.832745Z 0 [ERROR] [MY-013780] [Repl] Plugin group_replication reported: 'Failed to establish MySQL client connection in Group Replication. Error establishing connection. Please refer to the manual to make sure that you configured Group Replication properly to work with MySQL Protocol connections.'
[13 Dec 2022 12:55] MySQL Verification Team
Hi Mr. AP,

Thank you for your bug report.

However, if you have generated your own router certificate, it should be different from the server certificate.

Why don't you use openssl to verify both certificates ???

Just use it's verify command.

Next , both server and router should be configured to use their own certificates, which requires setting of four different variables for each of those ..... We do not see that from your report.

Do note that this is a forum for bug reports and not for asking support questions.

Can't repeat.