Rotating MySQL Credentials

Page last updated:

This topic describes how to rotate the MySQL root password and the MySQL backup user password.

Overview

When a user provisions a MySQL instance, the MySQL Operator automatically creates a Kubernetes secret containing the MySQL root password as well as the password for the MySQL backup user.

To adhere to security best practices or to company regulations, VMware recommends rotating a MySQL instance’s credentials regularly. In addition, you should rotate a password if it is compromised for any reason.

This topic provides multiple methods for rotating passwords for a MySQL instance.

Prerequisites

Before you rotate a MySQL instance’s password, you need:

  • The Kubernetes Command Line Interface (kubectl) installed. For more information, see the Kubernetes documentation.

  • admin Role access to the namespace of the MySQL instance for which you want to rotate the root password. For more information about User-facing roles, see the Kubernetes documentation.

Option 1: Delete the Kubernetes Secret

This option deletes the Kubernetes secret containing the MySQL passwords. When the secret is deleted, Kubernetes automatically re-creates the secret with newly generated passwords. This procedure rotates both the MySQL root password and the backup user password.

  1. Delete the Kubernetes secret by running:

    kubectl delete secret INSTANCE-NAME-credentials
    

    Where INSTANCE-NAME is the name of the MySQL instance.

    For example:

    $ kubectl delete secret mysql-sample-credentials
    
    secret "mysql-sample-credentials" deleted
  2. Wait until Kubernetes has automatically re-created the secret. You can watch the progress by running:

    kubectl get secret --watch
    

    For example:

    $ kubectl get secret --watch
    
    NAME TYPE DATA AGE default-token-wb7gl kubernetes.io/service-account-token 3 10d mysql-sample-credentials Opaque 4 48s tanzu-mysql-backup-cron-token-c7bnt kubernetes.io/service-account-token 3 10d tanzu-mysql-image-registry kubernetes.io/dockerconfigjson 1 2m3s tanzu-mysql-token-24cdv kubernetes.io/service-account-token 3 10d
  3. Update the database with the new passwords by restarting your MySQL instance:

    kubectl rollout restart statefulset INSTANCE-NAME
    

    For example:

    $ kubectl rollout restart statefulset mysql-sample
    
    statefulset.apps/mysql-sample restarted
  4. Verify that your MySQL instance has finished updating by running:

    kubectl get mysql INSTANCE-NAME
    

    A MySQL instance has finished updating when the value of the STATUS column is Running. For example:

    $ kubectl get mysql mysql-sample
    
    NAME READY STATUS AGE mysql-sample true Running 10d
  5. To verify that the passwords were rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.

Option 2: Patch the Kubernetes Secret with a Custom Password

This option patches the existing Kubernetes secret with a new password. This procedure allows you to configure MySQL with your own custom passwords. You can use this procedure to rotate either the MySQL root password or the backup user password.

  1. Patch the secret with your custom password by running:

    kubectl patch secret INSTANCE-NAME-credentials -p='{"stringData":{"PASSWORD-FIELD":"CUSTOM-PASSWORD"}}'
    

    Where:

    • INSTANCE-NAME is the name of the MySQL instance.
    • PASSWORD-FIELD is either rootPassword if you are changing the MySQL root password or backupPassword if you are changing the MySQL backup user password.
    • CUSTOM-PASSWORD is your custom password in plaintext. Kubernetes stores this password as a base64-encoded string in the Kubernetes secret.

    For example:

    $ kubectl patch secret mysql-sample-credentials -p='{"stringData":{"rootPassword":"examplepassword"}}'
    
    secret/mysql-sample-credentials patched
  2. To update the database with the new password, restart your MySQL instance by running:

    kubectl rollout restart statefulset INSTANCE-NAME
    

    For example:

    $ kubectl rollout restart statefulset mysql-sample
    
    statefulset.apps/mysql-sample restarted
  3. Verify that your MySQL instance has finished updating by running:

    kubectl get mysql INSTANCE-NAME
    

    A MySQL instance has finished updating when the value of the STATUS column is Running. For example:

    $ kubectl get mysql mysql-sample
    
    NAME READY STATUS AGE mysql-sample true Running 10d
  4. To verify that the password was rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.