Comment 0 for bug 1914299

Revision history for this message
David Ames (thedac) wrote :

It seems the most recent version of mysql-router 8.0.23-0ubuntu0.20.04.1 [0] has broken our implementation of TLS. Six days ago this [0] landed in Focal.

At first glance, it appears the previous behavior of TCP proxying the mysql connections to the mysql-innodb-cluster nodes and therefore allowing TLS to be terminated at the cluster node not at the router has changed. It now appears TLS termination is occurring at the mysql-router.

We cannot simply point python clients at the auto-generated CA for the router as the python clients do hostname validation.

We will need to implement the certificates relation for mysql-router and use a Vault CA and certificates that include 127.0.0.1.

[0] https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.23-0ubuntu0.20.04.1