Rotating MySQL Credentials

Warning: VMware Tanzu™ SQL with MySQL for Kubernetes is currently in beta and is intended for evaluation and test purposes only. Do not use this product in a production environment. If you discover any bugs, contact Support.

Page last updated:

This topic describes how to rotate the MySQL root password and the MySQL backup user password.

Overview

When a user provisions a Tanzu MySQL for Kubernetes instance, the Tanzu MySQL for Kubernetes Operator automatically creates a Kubernetes secret containing the MySQL root password as well as the password for the MySQL backup user.

To adhere to security best practices or to company regulations, VMware recommends rotating a Tanzu MySQL for Kubernetes instance’s credentials regularly. In addition, you should rotate a password if it is compromised for any reason.

This topic provides multiple methods for rotating passwords for a Tanzu MySQL for Kubernetes instance.

Prerequisites

Before you rotate a Tanzu MySQL for Kubernetes instance’s password, you need:

  • The Kubernetes Command Line Interface (kubectl) installed. For more information, see the Kubernetes documentation.

  • admin Role access to the namespace of the Tanzu MySQL for Kubernetes instance for which you want to rotate the root password. For more information about User-facing roles, see the Kubernetes documentation.

Option 1: Delete the Kubernetes Secret

This option deletes the Kubernetes secret containing the MySQL passwords. When the secret is deleted, Kubernetes automatically re-creates the secret with newly generated passwords. This procedure rotates both the MySQL root password and the backup user password.

  1. Delete the Kubernetes secret by running:

    kubectl delete secret INSTANCE-NAME-credentials
    

    Where INSTANCE-NAME is the name of the Tanzu MySQL for Kubernetes instance.

    For example:

    $ kubectl delete secret tanzumysql-sample-credentials
    
    secret "tanzumysql-sample-credentials" deleted
  2. Wait until Kubernetes has automatically re-created the secret. You can watch the progress by running:

    kubectl get secret --watch
    

    For example:

    $ kubectl get secret --watch
    
    NAME TYPE DATA AGE default-token-wb7gl kubernetes.io/service-account-token 3 10d tanzumysql-sample-credentials Opaque 4 48s tanzu-mysql-backup-cron-token-c7bnt kubernetes.io/service-account-token 3 10d tanzu-mysql-image-registry kubernetes.io/dockerconfigjson 1 2m3s tanzu-mysql-token-24cdv kubernetes.io/service-account-token 3 10d
  3. Update the database with the new passwords by restarting your Tanzu MySQL for Kubernetes instance:

    kubectl rollout restart statefulset INSTANCE-NAME
    

    For example:

    $ kubectl rollout restart statefulset tanzumysql-sample
    
    statefulset.apps/tanzumysql-sample restarted
  4. Verify that your Tanzu MySQL for Kubernetes instance has finished updating by running:

    kubectl get tanzumysql INSTANCE-NAME
    

    A Tanzu MySQL for Kubernetes instance has finished updating when the value of the STATUS column is Running. For example:

    $ kubectl get tanzumysql tanzumysql-sample
    
    NAME READY STATUS AGE tanzumysql-sample true Running 10d
  5. To verify that the passwords were rotated successfully, try connecting to your Tanzu MySQL for Kubernetes instance by following instructions in Connect to the MySQL Server with the Kubernetes API Server.

Option 2: Patch the Kubernetes Secret with a Custom Password

This option patches the existing Kubernetes secret with a new password. This procedure allows you to configure Tanzu MySQL with your own custom passwords. You can use this procedure to rotate either the MySQL root password or the backup user password.

  1. Patch the secret with your custom password by running:

    kubectl patch secret INSTANCE-NAME-credentials -p='{"stringData":{"PASSWORD-FIELD":"CUSTOM-PASSWORD"}}'
    

    Where:

    • INSTANCE-NAME is the name of the Tanzu MySQL for Kubernetes instance.
    • PASSWORD-FIELD is either rootPassword if you are changing the MySQL root password or backupPassword if you are changing the MySQL backup user password.
    • CUSTOM-PASSWORD is your custom password in plaintext. Kubernetes stores this password as a base64-encoded string in the Kubernetes secret.

    For example:

    $ kubectl patch secret tanzumysql-sample-credentials -p='{"stringData":{"rootPassword":"examplepassword"}}'
    
    secret/tanzumysql-sample-credentials patched
  2. To update the database with the new password, restart your Tanzu MySQL for Kubernetes instance by running:

    kubectl rollout restart statefulset INSTANCE-NAME
    

    For example:

    $ kubectl rollout restart statefulset tanzumysql-sample
    
    statefulset.apps/tanzumysql-sample restarted
  3. Verify that your Tanzu MySQL for Kubernetes instance has finished updating by running:

    kubectl get tanzumysql INSTANCE-NAME
    

    A Tanzu MySQL for Kubernetes instance has finished updating when the value of the STATUS column is Running. For example:

    $ kubectl get tanzumysql tanzumysql-sample
    
    NAME READY STATUS AGE tanzumysql-sample true Running 10d
  4. To verify that the password was rotated successfully, try connecting to your Tanzu MySQL for Kubernetes instance by following instructions in Connect to the MySQL Server with the Kubernetes API Server.