diff --git a/bitnami/mysql/CHANGELOG.md b/bitnami/mysql/CHANGELOG.md index cf796717b2166f..61438bbcb1ce5b 100644 --- a/bitnami/mysql/CHANGELOG.md +++ b/bitnami/mysql/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 12.0.1 (2024-11-25) +## 12.1.0 (2024-11-27) -* [bitnami/mysql] Release 12.0.1 ([#30614](https://github.com/bitnami/charts/pull/30614)) +* [bitnami/mysql] feat: :sparkles: Add TLS support ([#30640](https://github.com/bitnami/charts/pull/30640)) + +## 12.0.1 (2024-11-25) + +* [bitnami/mysql] Release 12.0.1 (#30614) ([cb712f4](https://github.com/bitnami/charts/commit/cb712f4fa72499975e813673edc0fa76927bbfd2)), closes [#30614](https://github.com/bitnami/charts/issues/30614) ## 12.0.0 (2024-11-12) diff --git a/bitnami/mysql/Chart.yaml b/bitnami/mysql/Chart.yaml index d327f6a802c546..aa3d87ec8f1584 100644 --- a/bitnami/mysql/Chart.yaml +++ b/bitnami/mysql/Chart.yaml @@ -34,4 +34,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 12.0.1 +version: 12.1.0 diff --git a/bitnami/mysql/README.md b/bitnami/mysql/README.md index 84ba3f72153658..ddbbeaaaf44ee5 100644 --- a/bitnami/mysql/README.md +++ b/bitnami/mysql/README.md @@ -112,11 +112,26 @@ initContainers: containerPort: 1234 ``` +### TLS + +This chart supports encrypting communications using TLS. To enable this feature, set the `tls.enabled`. + +It is necessary to create a secret containing the TLS certificates and pass it to the chart via the `tls.existingSecret` parameter. Every secret should contain a `tls.crt` and `tls.key` keys including the certificate and key files respectively and, optionally, a `ca.crt` key including the CA certificate. For example: create the secret with the certificates files: + +```console +kubectl create secret generic tls-secret --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt +``` + +You can manually create the required TLS certificates or relying on the chart auto-generation capabilities. The chart supports two different ways to auto-generate the required certificates: + +- Using Helm capabilities. Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `helm`. +- Relying on CertManager (please note it's required to have CertManager installed in your K8s cluster). Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `cert-manager`. Please note it's supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the `tls.autoGenerated.certManager.existingIssuer` and `tls.autoGenerated.certManager.existingIssuerKind` parameters. + ### Update credentials Bitnami charts, with its default settings, configure credentials at first boot. Any further change in the secrets or credentials can be done using one of the following methods: -### Manual update of the passwords and secrets +#### Manual update of the passwords and secrets - Update the user password following [the upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/set-password.html) - Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and ROOT_PASSWORD placeholders) @@ -125,14 +140,14 @@ Bitnami charts, with its default settings, configure credentials at first boot. kubectl create secret generic SECRET_NAME --from-literal=password=PASSWORD --from-literal=root-password=ROOT_PASSWORD --dry-run -o yaml | kubectl apply -f - ``` -### Automated update using a password update job +#### Automated update using a password update job The Bitnami MySQL provides a password update job that will automatically change the MySQL passwords when running helm upgrade. To enable the job set `passwordUpdateJob.enabled=true`. This job requires: - The new passwords: this is configured using either `auth.rootPassword`, `auth.password` and `auth.replicationPassword` (if applicable) or setting `auth.existingSecret`. - The previous passwords: This value is taken automatically from already deployed secret object. If you are using `auth.existingSecret` or `helm template` instead of `helm upgrade`, then set either `passwordUpdate.job.previousPasswords.rootPassword`, `passwordUpdate.job.previousPasswords.password`, `passwordUpdate.job.previousPasswords.replicationPassword` (when applicable), setting `auth.existingSecret`. -In the following example we update the password via values.yaml in a mariadb installation with replication +In the following example we update the password via values.yaml in a mysql installation with replication ```yaml architecture: "replication" @@ -246,6 +261,27 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `startdbScripts` | Dictionary of startdb scripts | `{}` | | `startdbScriptsConfigMap` | ConfigMap with the startdb scripts (Note: Overrides `startdbScripts`) | `""` | +### TLS/SSL parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | --------- | +| `tls.enabled` | Enable TLS in MySQL | `false` | +| `tls.existingSecret` | Existing secret that contains TLS certificates | `""` | +| `tls.certFilename` | The secret key from the existingSecret if 'cert' key different from the default (tls.crt) | `tls.crt` | +| `tls.certKeyFilename` | The secret key from the existingSecret if 'key' key different from the default (tls.key) | `tls.key` | +| `tls.certCAFilename` | The secret key from the existingSecret if 'ca' key different from the default (tls.crt) | `""` | +| `tls.ca` | CA certificate for TLS. Ignored if `tls.existingSecret` is set | `""` | +| `tls.cert` | TLS certificate for MySQL. Ignored if `tls.existingSecret` is set | `""` | +| `tls.key` | TLS key for MySQL. Ignored if `tls.existingSecret` is set | `""` | +| `tls.autoGenerated.enabled` | Enable automatic generation of certificates for TLS | `true` | +| `tls.autoGenerated.engine` | Mechanism to generate the certificates (allowed values: helm, cert-manager) | `helm` | +| `tls.autoGenerated.certManager.existingIssuer` | The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) | `""` | +| `tls.autoGenerated.certManager.existingIssuerKind` | Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine) | `""` | +| `tls.autoGenerated.certManager.keyAlgorithm` | Key algorithm for the certificates (only for `cert-manager` engine) | `RSA` | +| `tls.autoGenerated.certManager.keySize` | Key size for the certificates (only for `cert-manager` engine) | `2048` | +| `tls.autoGenerated.certManager.duration` | Duration for the certificates (only for `cert-manager` engine) | `2160h` | +| `tls.autoGenerated.certManager.renewBefore` | Renewal period for the certificates (only for `cert-manager` engine) | `360h` | + ### MySQL Primary parameters | Name | Description | Value | diff --git a/bitnami/mysql/templates/_helpers.tpl b/bitnami/mysql/templates/_helpers.tpl index be46835968aa5d..757a36da1480d0 100644 --- a/bitnami/mysql/templates/_helpers.tpl +++ b/bitnami/mysql/templates/_helpers.tpl @@ -180,6 +180,25 @@ Return the secret with new MySQL credentials {{- end -}} {{- end -}} +{{/* +Return the MySQL TLS credentials secret +*/}} +{{- define "mysql.tlsSecretName" -}} +{{- if .Values.tls.existingSecret -}} + {{- print (tpl .Values.tls.existingSecret $) -}} +{{- else -}} + {{- printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "mysql.tlsCACert" -}} +{{- if or (eq .Values.tls.autoGenerated.engine "helm") (and (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) .Values.tls.ca) -}} + {{- printf "/opt/bitnami/mysql/certs/%s" "ca.crt" -}} +{{- else }} + {{- ternary "" (printf "/opt/bitnami/mysql/certs/%s" .Values.tls.certCAFilename) (empty .Values.tls.certCAFilename) }} +{{- end -}} +{{- end -}} + {{/* Check if there are rolling tags in the images */}} {{- define "mysql.checkRollingTags" -}} {{- include "common.warnings.rollingTag" .Values.image }} diff --git a/bitnami/mysql/templates/ca-cert.yaml b/bitnami/mysql/templates/ca-cert.yaml new file mode 100644 index 00000000000000..2cfdf3e2079dbf --- /dev/null +++ b/bitnami/mysql/templates/ca-cert.yaml @@ -0,0 +1,56 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }} +{{- if empty .Values.tls.autoGenerated.certManager.existingIssuer }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-clusterissuer" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mysql + app.kubernetes.io/component: mysql + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + selfSigned: {} +--- +{{- end }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mysql + app.kubernetes.io/component: mysql + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }} + commonName: {{ printf "%s-ca" (include "common.names.fullname" .) }} + isCA: true + issuerRef: + name: {{ default (printf "%s-clusterissuer" (include "common.names.fullname" .)) .Values.tls.autoGenerated.certManager.existingIssuer }} + kind: {{ default "Issuer" .Values.tls.autoGenerated.certManager.existingIssuerKind }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mysql + app.kubernetes.io/component: mysql + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + ca: + secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }} +{{- end }} diff --git a/bitnami/mysql/templates/cert.yaml b/bitnami/mysql/templates/cert.yaml new file mode 100644 index 00000000000000..03693ed20c205c --- /dev/null +++ b/bitnami/mysql/templates/cert.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mysql + app.kubernetes.io/component: mysql + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + secretName: {{ printf "%s-crt" (include "common.names.fullname" .) }} + commonName: {{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain }} + issuerRef: + name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }} + kind: Issuer + subject: + organizations: + - "MySQL" + dnsNames: + - '*.{{ include "common.names.namespace" . }}' + - '*.{{ include "common.names.namespace" . }}.svc' + - '*.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + - '*.{{ include "mysql.primary.fullname" . }}' + - '*.{{ include "mysql.primary.fullname" . }}.{{ include "common.names.namespace" . }}' + - '*.{{ include "mysql.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc' + - '*.{{ include "mysql.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + - '*.{{ include "mysql.secondary.fullname" . }}' + - '*.{{ include "mysql.secondary.fullname" . }}.{{ include "common.names.namespace" . }}' + - '*.{{ include "mysql.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc' + - '*.{{ include "mysql.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + privateKey: + algorithm: {{ .Values.tls.autoGenerated.certManager.keyAlgorithm }} + size: {{ int .Values.tls.autoGenerated.certManager.keySize }} + duration: {{ .Values.tls.autoGenerated.certManager.duration }} + renewBefore: {{ .Values.tls.autoGenerated.certManager.renewBefore }} +{{- end }} diff --git a/bitnami/mysql/templates/primary/statefulset.yaml b/bitnami/mysql/templates/primary/statefulset.yaml index 447d472ca82beb..df1615c93ccf63 100644 --- a/bitnami/mysql/templates/primary/statefulset.yaml +++ b/bitnami/mysql/templates/primary/statefulset.yaml @@ -174,6 +174,12 @@ spec: name: {{ template "mysql.secretName" . }} key: mysql-root-password {{- end }} + - name: MYSQL_ENABLE_SSL + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if and .Values.tls.enabled (include "mysql.tlsCACert" .) }} + - name: MYSQL_CLIENT_CA_FILE + value: {{ include "mysql.tlsCACert" . | quote }} + {{- end }} {{- if not (empty .Values.auth.username) }} - name: MYSQL_USER value: {{ .Values.auth.username | quote }} @@ -306,6 +312,10 @@ spec: - name: empty-dir mountPath: /opt/bitnami/mysql/logs subPath: app-logs-dir + {{- if .Values.tls.enabled }} + - name: cert + mountPath: /opt/bitnami/mysql/certs + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d @@ -422,6 +432,12 @@ spec: path: mysql-replication-password {{- end }} {{- end }} + {{- if .Values.tls.enabled }} + - name: cert + secret: + secretName: {{ include "mysql.tlsSecretName" . }} + defaultMode: 256 + {{- end }} - name: empty-dir emptyDir: {} {{- if .Values.primary.extraVolumes }} diff --git a/bitnami/mysql/templates/secondary/statefulset.yaml b/bitnami/mysql/templates/secondary/statefulset.yaml index 873a9614f7c9bb..1b5605600749b7 100644 --- a/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/bitnami/mysql/templates/secondary/statefulset.yaml @@ -177,6 +177,12 @@ spec: value: {{ .Values.secondary.containerPorts.mysql | quote}} - name: MYSQL_REPLICATION_USER value: {{ .Values.auth.replicationUser | quote }} + - name: MYSQL_ENABLE_SSL + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if and .Values.tls.enabled (include "mysql.tlsCACert" .) }} + - name: MYSQL_CLIENT_CA_FILE + value: {{ include "mysql.tlsCACert" . | quote }} + {{- end }} {{- if .Values.auth.usePasswordFiles }} - name: MYSQL_MASTER_ROOT_PASSWORD_FILE value: {{ default "/opt/bitnami/mysql/secrets/mysql-root-password" .Values.auth.customPasswordFiles.root }} @@ -278,6 +284,10 @@ spec: {{- if .Values.secondary.persistence.subPath }} subPath: {{ .Values.secondary.persistence.subPath }} {{- end }} + {{- if .Values.tls.enabled }} + - name: cert + mountPath: /opt/bitnami/mysql/certs + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d @@ -402,6 +412,12 @@ spec: - key: mysql-replication-password path: mysql-replication-password {{- end }} + {{- if .Values.tls.enabled }} + - name: cert + secret: + secretName: {{ include "mysql.tlsSecretName" . }} + defaultMode: 256 + {{- end }} - name: empty-dir emptyDir: {} {{- if .Values.secondary.extraVolumes }} diff --git a/bitnami/mysql/templates/tls-secret.yaml b/bitnami/mysql/templates/tls-secret.yaml new file mode 100644 index 00000000000000..f5fef25482d82e --- /dev/null +++ b/bitnami/mysql/templates/tls-secret.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- if and .Values.tls.enabled (eq .Values.tls.autoGenerated.engine "helm") }} +{{- $ca := genCA "mysql-ca" 365 }} +{{- $releaseNamespace := include "common.names.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $primaryServiceName := include "mysql.primary.fullname" . }} +{{- $secondaryServiceName := include "mysql.secondary.fullname" . }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $primaryServiceName $secondaryServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $secondaryServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (include "common.names.fullname" .) "localhost" "127.0.0.1" }} +{{- $cert := genSignedCert $primaryServiceName nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mysql + app.kubernetes.io/component: mysql + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} +{{- else if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mysql + app.kubernetes.io/component: mysql + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + {{- if .Values.tls.ca }} + ca.crt: {{ .Values.tls.ca | b64enc | quote }} + {{- end -}} + tls.crt: {{ required "A valid .Values.tls.cert entry required!" .Values.tls.cert | b64enc | quote }} + tls.key: {{ required "A valid .Values.tls.key entry required!" .Values.tls.key | b64enc | quote }} +{{- end }} diff --git a/bitnami/mysql/values.yaml b/bitnami/mysql/values.yaml index c77a25fb6314ed..45bf19066f1086 100644 --- a/bitnami/mysql/values.yaml +++ b/bitnami/mysql/values.yaml @@ -184,6 +184,45 @@ startdbScripts: {} ## @param startdbScriptsConfigMap ConfigMap with the startdb scripts (Note: Overrides `startdbScripts`) ## startdbScriptsConfigMap: "" +## @section TLS/SSL parameters +## +## @param tls.enabled Enable TLS in MySQL +## @param tls.existingSecret Existing secret that contains TLS certificates +## @param tls.certFilename The secret key from the existingSecret if 'cert' key different from the default (tls.crt) +## @param tls.certKeyFilename The secret key from the existingSecret if 'key' key different from the default (tls.key) +## @param tls.certCAFilename The secret key from the existingSecret if 'ca' key different from the default (tls.crt) +## @param tls.ca CA certificate for TLS. Ignored if `tls.existingSecret` is set +## @param tls.cert TLS certificate for MySQL. Ignored if `tls.existingSecret` is set +## @param tls.key TLS key for MySQL. Ignored if `tls.existingSecret` is set +## +tls: + enabled: false + existingSecret: "" + certFilename: tls.crt + certKeyFilename: tls.key + certCAFilename: "" + ca: "" + cert: "" + key: "" + ## @param tls.autoGenerated.enabled Enable automatic generation of certificates for TLS + ## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager) + autoGenerated: + enabled: true + engine: helm + ## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine) + certManager: + existingIssuer: "" + existingIssuerKind: "" + keySize: 2048 + keyAlgorithm: RSA + duration: 2160h + renewBefore: 360h + ## @section MySQL Primary parameters ## primary: @@ -233,6 +272,13 @@ primary: character-set-server=UTF8 slow_query_log=0 long_query_time=10.0 + {{- if .Values.tls.enabled }} + ssl_cert=/opt/bitnami/mysql/certs/{{ .Values.tls.certFilename }} + ssl_key=/opt/bitnami/mysql/certs/{{ .Values.tls.certKeyFilename }} + {{- if (include "mysql.tlsCACert" .) }} + ssl_ca={{ include "mysql.tlsCACert" . }} + {{- end }} + {{- end }} [client] port={{ .Values.primary.containerPorts.mysql }} @@ -661,6 +707,13 @@ secondary: character-set-server=UTF8 slow_query_log=0 long_query_time=10.0 + {{- if .Values.tls.enabled }} + ssl_cert=/opt/bitnami/mysql/certs/{{ .Values.tls.certFilename }} + ssl_key=/opt/bitnami/mysql/certs/{{ .Values.tls.certKeyFilename }} + {{- if (include "mysql.tlsCACert" .) }} + ssl_ca={{ include "mysql.tlsCACert" . }} + {{- end }} + {{- end }} [client] port={{ .Values.secondary.containerPorts.mysql }}