It seems the most recent version of mysql-router 8.0.23-0ubuntu0.20.04.1 [0] has broken our implementation of TLS. Six days ago this [0] landed in Focal.
At first glance, it appears the previous behavior of TCP proxying the mysql connections to the mysql-innodb-cluster nodes and therefore allowing TLS to be terminated at the cluster node not at the router has changed. It now appears TLS termination is occurring at the mysql-router.
We cannot simply point python clients at the auto-generated CA for the router as the python clients do hostname validation.
We will need to implement the certificates relation for mysql-router and use a Vault CA and certificates that include 127.0.0.1.
It seems the most recent version of mysql-router 8.0.23- 0ubuntu0. 20.04.1 [0] has broken our implementation of TLS. Six days ago this [0] landed in Focal.
At first glance, it appears the previous behavior of TCP proxying the mysql connections to the mysql-innodb- cluster nodes and therefore allowing TLS to be terminated at the cluster node not at the router has changed. It now appears TLS termination is occurring at the mysql-router.
We cannot simply point python clients at the auto-generated CA for the router as the python clients do hostname validation.
We will need to implement the certificates relation for mysql-router and use a Vault CA and certificates that include 127.0.0.1.
[0] https:/ /launchpad. net/ubuntu/ +source/ mysql-8. 0/8.0.23- 0ubuntu0. 20.04.1